Hi Dennis, Dennis Allison wrote:
Are the standard roles (anonymous, authorized_user, manager) inclusive? By inclusive I mean that an authorized_user is also treated as an anonymous_user and that a manager is also anonymous and an authorized_user.
Anonymous and Authenticated are two special roles. A user will have the Anonymous role iff they have not supplied any authentication credentials. A user will have the Authenticated role iff they HAVE supplied authentication credentials. A user will never have Authenticated and Anonymous roles at the same time. For all other roles, the user has those roles or not. Having or not having a role has no effect on having or not having any other role. The permissions a user has is the logical OR of all the permissions mapped to all the roles the user has. eg: Anonymous Authenticated Manager Wizard BeAnon x View x x x Change x Delete x Magik x So, the anonymous user can view things, and is the only user who can BeAnon A manager can View and Delete things, they can also Change things by way of their being authenticated. A person with only the Wizard role will be able to do Magik as well as change and view things by way of being authenticated. A user with Manager and Wizard roles will be able to view, change, delete and do magik, but even that magik won't allow them to BeAnon ;-) HTH, Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk