Chris Withers  <[EMAIL PROTECTED]> wrote:
> Dieter Maurer wrote:
> >>A user will have the Anonymous role iff they have not supplied any 
> >>authentication credentials.
> > 
> > Any user has the "Anonymous" role whether or not it is authenticated.
> Really?
> Then how come the following script:
> from AccessControl import getSecurityManager
> user = getSecurityManager().getUser()
> print user.getRoles()
> return printed
> returns ('Manager', 'Authenticated') when logged in as a manager

This queries the user object, and returns all roles the implementation
decided to return. Standard user folder only returns 'Authenticated' in
addition to the roles explicitely given to that user....

(FWIW in CPSUserFolder we chose to return Authenticated as well as
Anonymous to be consistent.)

> and ('Anonymous',) when anonymous?
> >>A user will never have Authenticated and Anonymous roles at the same time.
> > 
> > This is wrong.
> See above.

...but from the security machinery's point of view, if an object or
method is protected by a permission given to the role Anonymous, then
any user will have access. ImplPython.validate has:
        # Short-circuit tests if we can:
            if roles is None or 'Anonymous' in roles:
                return 1
(roles here is the roles issued from the permission on the object considered.)


Florent Guillaume, Nuxeo (Paris, France)   CTO, Director of R&D
+33 1 40 33 71 59   [EMAIL PROTECTED]
Zope maillist  -
**   No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to