(This was a one man thread of mine on zope@, it seemed to be getting more techincal, so I thought I'd move it to zope-dev@...) On Thu, 25 Mar 1999, John Eikenberry wrote:
I'm having a strange problem with logged in users getting to anonymous areas of the site. Here's an simplified example to explain...
Two directories off the / /private /public
/private allows no access to "Anonymous User", requiring a login.
There are no usernames in /acl_users. All the user info for logging into /private is kept in /private/acl_users.
/public has no acl_users folder.
If you start up netscape, you can get to /public without any problems. But once you've logged into /private, you can't get back to /public without getting an unauthorized error...
Ok, the problem was that I had the roles defined on the top level folder and the users defined in the subfolder. By moving the roles into the subfolder, the problem went away.
Ack... I spoke to soon... but I've figured out a fix and I'd like to bounce it off the group to see if you'd think it'd break anything. The fix was to modify AccessControl.User.validate()... here's a unified diff showing what I changed... @@ +390,10 -388,7 @@ # Try to get user user=self.getUser(name) if user is None: + if self._isTop(): + return self._nobody + else: + return None - return None Key: self._nobody returns the Anonymous User object self.getUser tries to get the user object from an acl_users folder The problem I was having, was that validate() was getting passed the authentication information for the person who was defined in a subfolder which it didn't have access to... so... the validate would return none, which would raise the Unauthorized error. By having it return the Anonymous User object (only at the top level), it allows access to public areas without sacrificing security. Does this make sense... does anyone see any potential problems? Thanks for any help, --- John Eikenberry [jae@kavi.com - http://taos.kavi.com/~jae/] ______________________________________________________________ "A society that will trade a little liberty for a little order will deserve neither and lose both." --B. Franklin