Thank god for Dieter. :-)
I'll trust that you're right, Dieter, because reading the traversal
machinery code makes my head hurt. :-)
----- Original Message -----
From: "Dieter Maurer" <[EMAIL PROTECTED]>
To: "Chris McDonough" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Friday, January 12, 2001 5:00 PM
Subject: Re: [Zope] hasRole bug or feature in 2.2.?
> Chris McDonough writes:
> > You didn't protect the isMember document. It's viewable by Anonymous.
> > Zope security machinery short-circuits authentication for resources
> > don't require it. This means that when you view a resource that's
> > unprotected, you view it "as Anonymous". Anonymous doesn't have the
> > role, so you see "You are NOT a Member" when you view /isMember.
> > I don't particularly like this behavior, but it seems not to bother
> > else. I think it should authorize you and set AUTHENTICATED_USER if
> > pass in auth info regardless of the protection on the resource you're
> > to view.
> It would bother me a lot, if you were right :-)
> Fortunately, you are not completely right.
> What really happens is the following:
> when ZPublisher has located the object addressed by
> the request URL, it starts going back its way
> along PARENTS to find a UserFolder that can
> authenticate a user with sufficient permissions
> to call the object.
> If the object is unprotected, then no permissions
> are required. In this case, the top level
> UserFolder will return "Anonymous",
> if it is reached and it cannot authenticate the
> Therefore, an unprotected object can be
> called by Anonymous and in this case,
> "hasRole" is that of "Anonymous", as Chris
> However, if previously a protected object
> has been accessed, then your browser may (and usually
> will) send Authentication information with
> all following requests.
> A UserFolder will use this information (if present)
> to authenticate the user, even if no permissions
> are necessary for object access.
> If successful, AUTHENTICATED_USER will not
> be "Anonymous" even though the accessed object
> is unprotected.
> Zope maillist - [EMAIL PROTECTED]
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://lists.zope.org/mailman/listinfo/zope-dev )
Zope maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists -