We've just noticed that in zope 2.3.3, using declarePublic has the side-effect of making a request anonymous. That is, a logged-in manager, viewing a declarePublic()'ed page will appear to be anonymous. This isn't mentioned in the manual, and probably should be, assuming it's the desired behaviour. Richard
Yeah, this is due to a shortcut in authentication. I don't particularly like this behavior. It bites lots of people. I wonder if we could change it. Richard Jones wrote:
We've just noticed that in zope 2.3.3, using declarePublic has the side-effect of making a request anonymous. That is, a logged-in manager, viewing a declarePublic()'ed page will appear to be anonymous. This isn't mentioned in the manual, and probably should be, assuming it's the desired behaviour.
Richard
_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
-- Chris McDonough Zope Corporation http://www.zope.org http://www.zope.com "Killing hundreds of birds with thousands of stones"
* Chris McDonough <chrism@digicool.com> [010903 18:42]:
Yeah, this is due to a shortcut in authentication. I don't particularly like this behavior. It bites lots of people. I wonder if we could change it.
I think so, FWIW. As you say, this behaviour is a result of an implementation shortcut, rather than by design; I doubt the performance benefits outweigh the silliness of the resulting behaviour. I thought I remembered someone from ZC saying it was changed for 2.4, though? seb
seb bacon wrote:
* Chris McDonough <chrism@digicool.com> [010903 18:42]:
Yeah, this is due to a shortcut in authentication. I don't particularly like this behavior. It bites lots of people. I wonder if we could change it.
I think so, FWIW. As you say, this behaviour is a result of an implementation shortcut, rather than by design; I doubt the performance benefits outweigh the silliness of the resulting behaviour.
I thought I remembered someone from ZC saying it was changed for 2.4, though?
Geez, I don't think so... maybe you mean the "Authenticated" role being added? I'd say ditch the current behavior if we can be reasonably certain that nothing important (especially in the ZMI) depends on it. Anybody want to write a fishbowl proposal? ;-) -- Chris McDonough Zope Corporation http://www.zope.org http://www.zope.com "Killing hundreds of birds with thousands of stones"
Chris McDonough wrote:
seb bacon wrote:
* Chris McDonough <chrism@digicool.com> [010903 18:42]:
Yeah, this is due to a shortcut in authentication. I don't particularly like this behavior. It bites lots of people. I wonder if we could change it.
I think so, FWIW. As you say, this behaviour is a result of an implementation shortcut, rather than by design; I doubt the performance benefits outweigh the silliness of the resulting behaviour. I thought I remembered someone from ZC saying it was changed for 2.4, though?
Geez, I don't think so... maybe you mean the "Authenticated" role being added?
I'd say ditch the current behavior if we can be reasonably certain that nothing important (especially in the ZMI) depends on it.
Anybody want to write a fishbowl proposal? ;-)
No, Seb is right. As of Zope 2.4.x, authentication always occurs now. We did some tests with different configurations and nothing broke so we fixed it for good. :-) Shane
Richard Jones writes:
We've just noticed that in zope 2.3.3, using declarePublic has the side-effect of making a request anonymous. That is, a logged-in manager, viewing a declarePublic()'ed page will appear to be anonymous. This isn't mentioned in the manual, and probably should be, assuming it's the desired behaviour. It has been removes in Zope 2.4....
Dieter
participants (5)
-
Chris McDonough -
Dieter Maurer -
Richard Jones -
seb bacon -
Shane Hathaway