Florent Guillaume wrote:
from AccessControl import getSecurityManager
user = getSecurityManager().getUser()
print user.getRoles()
return printed

returns ('Manager', 'Authenticated') when logged in as a manager

This queries the user object, and returns all roles the implementation
decided to return.

Are you implying that something else gives the user the Anonymous role as far as Zope security is concerned?

Standard user folder only returns 'Authenticated' in
addition to the roles explicitely given to that user....

Indeed, but they don't give Anonymous to any user who has provided successful auth credentials.

(FWIW in CPSUserFolder we chose to return Authenticated as well as
Anonymous to be consistent.)

In what context? Providing both Authenticated and Anonymous on the same user at the same time seems bizarre ;-)

...but from the security machinery's point of view, if an object or
method is protected by a permission given to the role Anonymous, then
any user will have access. ImplPython.validate has:
        # Short-circuit tests if we can:
            if roles is None or 'Anonymous' in roles:
                return 1
(roles here is the roles issued from the permission on the object considered.)

Indeed, this is a little wart but one that makes sense. It doesn't, however, mean that Authenticated users have the Anonymous role, which wa the original question.

However, my example was incorrect, since provided anonymous can BeAnon, then so can anyone else, which is a little odd, but doesn't really matter in the grand scheme of things...



Simplistix - Content Management, Zope & Python Consulting
           - http://www.simplistix.co.uk

Zope maillist - Zope@zope.org
** No cross posts or HTML encoding! **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to