When doing user.getRoles(). Because as Tres said more clearly than me, every user can do what the Anonymous role can, so it's just being consistent to express that in user.getRoles(). IMHO.
Well yours is the only userfolder implementation that does.
While I agree in the security short circuiting code, I think having a getRoles return Anonymous and Authenticated at the same time is bizarre...
Simplistix - Content Management, Zope & Python Consulting
Zope maillist - Zope@zope.org
** No cross posts or HTML encoding! **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce