You're gonna laugh. Get ready. You didn't protect the isMember document. It's viewable by Anonymous. The Zope security machinery short-circuits authentication for resources that don't require it. This means that when you view a resource that's unprotected, you view it "as Anonymous". Anonymous doesn't have the Member role, so you see "You are NOT a Member" when you view /isMember. I don't particularly like this behavior, but it seems not to bother anyone else. I think it should authorize you and set AUTHENTICATED_USER if you pass in auth info regardless of the protection on the resource you're trying to view. ----- Original Message ----- From: "Ron Bickers" <rbickers@logicetc.com> To: <zope@zope.org> Sent: Thursday, January 11, 2001 5:01 PM Subject: [Zope] hasRole bug or feature in 2.2.?
I'm having a problem with AUTHENTICATED_USER.hasRole()
I have a user with the role 'Member' defined at the root level (and nowhere else). I also have the following DTML method at the root level:
<dtml-if "REQUEST['AUTHENTICATED_USER'].hasRole(PARENTS[-1], ['Member'])"> You are a Member. <dtml-else> Your are NOT a Member. </dtml-if>
When I first request the protected document /Bogus/membersonly, I'm prompted to log in. When I do, I get access to the /Bogus/membersonly document. Then when I request /Bogus/isMember, it says I am a Member. However, when I request /isMember, it says I am NOT a Member. Anywhere I request isMember, other than in the /Bogus folder, I am NOT a Member, even though the user is defined at the root level with the Member role.
If I then request a protected document /membersonly, it shows me the document without prompt. After I do that, when I request /isMember or /AnyFolder/isMember, it now tells me I am a Member.
Why does it not recognize that I'm a user with the Member role anywhere on the site until I access a protected document at the root level? Is this by design or a bug? If by design, what's the reasoning?
Thanks! _______________________
Ron Bickers Logic Etc, Inc. rbickers@logicetc.com
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )