Chris Withers <chris@simplistix.co.uk> wrote:
Dieter Maurer wrote:
A user will have the Anonymous role iff they have not supplied any authentication credentials.
Any user has the "Anonymous" role whether or not it is authenticated.
Really?
Then how come the following script:
from AccessControl import getSecurityManager user = getSecurityManager().getUser() print user.getRoles() return printed
returns ('Manager', 'Authenticated') when logged in as a manager
This queries the user object, and returns all roles the implementation decided to return. Standard user folder only returns 'Authenticated' in addition to the roles explicitely given to that user.... (FWIW in CPSUserFolder we chose to return Authenticated as well as Anonymous to be consistent.)
and ('Anonymous',) when anonymous?
A user will never have Authenticated and Anonymous roles at the same time.
This is wrong.
See above.
...but from the security machinery's point of view, if an object or method is protected by a permission given to the role Anonymous, then any user will have access. ImplPython.validate has: # Short-circuit tests if we can: try: if roles is None or 'Anonymous' in roles: return 1 (roles here is the roles issued from the permission on the object considered.) Florent -- Florent Guillaume, Nuxeo (Paris, France) CTO, Director of R&D +33 1 40 33 71 59 http://nuxeo.com fg@nuxeo.com