This is how the HTTP 1/1 specification requires it to be. Your browser follows this spec.
Dieter, I understand the HTTP spec... but ZOPE does not work that way. I can use methods which require roles above where I logged in. The methods used for returning the roles themselves do not correlate with ZOPE's own actions. Therefore ZOPE has an internal inconsistency regarding user authentication with basic HTTP authorization.
Apparently, you are using a user folder that uses basic authentication. There are user folders around that can (be configured to) use Cookie authentication. You can also use CookieCrumber for that.
yes, I've used one or two - but I'm concerned with remedying the default ZOPE authentication mechanism, which is broken
<dtml-call "REQUEST.set('roles',['Anonymous',])"> <dtml-if AUTHENTICATED_USER> <dtml-call "REQUEST.set('roles',AUTHENTICATED_USER.getRoles())"> </dtml-if>
Paul, thanks, but your suggestion isn't applicable since the result of AUTHENTICATED_USER.getRoles() is wrong. Grant K Rauscher GeeKieR Enterprises http://www.geekier.com/