-----Original Message----- From: zope-admin@zope.org [mailto:zope-admin@zope.org]On Behalf Of Dieter Maurer Sent: Friday, January 12, 2001 5:00 PM To: Chris McDonough Cc: zope@zope.org Subject: Re: [Zope] hasRole bug or feature in 2.2.?
However, if previously a protected object has been accessed, then your browser may (and usually will) send Authentication information with all following requests. A UserFolder will use this information (if present) to authenticate the user, even if no permissions are necessary for object access. If successful, AUTHENTICATED_USER will not be "Anonymous" even though the accessed object is unprotected.
I think I understand, but correct me if I'm wrong. The problem is that my browser is not even *sending* the authentication information to the other parts of the site until I first access a protected document at the root level. That is, the browser only continues to send auth info on levels at and below where I've requested a protected document. If that potected document is at the root level, I get the auth info everywhere in the site. Does this also mean that even after authenticating myself on one part of the site, accessing a protected document on another part of the site may result in an "unauthroized" response from Zope, to which my browser kindly responds for me without me realizing it? If this is true, it explains clearly Zope's behavior. It's really a browser "feature" and not a Zope issue at all. Given that, is it fair to say that I can never really be sure that an authenticated user (somewhere else on the site) accessing an unprotected document has a given role? Or would it be safe to assume that after accessing a root protected document, hasRole() will return the "right" answer anywhere in the site? If I can't safely assume any of the above, would I be better off using a session product to track a user after log in so I can determine their roles from an unprotected document? Any other ways? My goal, BTW, is to avoid showing certain content on an otherwise public page unless the authenticated user has the Member role. If there is a cleaner way to do this, I'm all ears. Thanks! _______________________ Ron Bickers Logic Etc, Inc. rbickers@logicetc.com