Chris Withers wrote:
Hi Dennis,
Dennis Allison wrote:
Are the standard roles (anonymous, authorized_user, manager) inclusive? By inclusive I mean that an authorized_user is also treated as an anonymous_user and that a manager is also anonymous and an authorized_user.
Anonymous and Authenticated are two special roles.
A user will have the Anonymous role iff they have not supplied any authentication credentials.
A user will have the Authenticated role iff they HAVE supplied authentication credentials.
A user will never have Authenticated and Anonymous roles at the same time.
For all other roles, the user has those roles or not. Having or not having a role has no effect on having or not having any other role.
The permissions a user has is the logical OR of all the permissions mapped to all the roles the user has.
eg: Anonymous Authenticated Manager Wizard BeAnon x View x x x Change x Delete x Magik x
So, the anonymous user can view things, and is the only user who can BeAnon A manager can View and Delete things, they can also Change things by way of their being authenticated. A person with only the Wizard role will be able to do Magik as well as change and view things by way of being authenticated. A user with Manager and Wizard roles will be able to view, change, delete and do magik, but even that magik won't allow them to BeAnon ;-)
HTH,
Chris
Chris, I *think* the security machinery is shortciruited when Anonymous has granted a permission. In this case everybody has gets that permission granted. Is that so ?? Robert