Chris McDonough writes:
You didn't protect the isMember document. It's viewable by Anonymous. The Zope security machinery short-circuits authentication for resources that don't require it. This means that when you view a resource that's unprotected, you view it "as Anonymous". Anonymous doesn't have the Member role, so you see "You are NOT a Member" when you view /isMember.
I don't particularly like this behavior, but it seems not to bother anyone else. I think it should authorize you and set AUTHENTICATED_USER if you pass in auth info regardless of the protection on the resource you're trying to view. It would bother me a lot, if you were right :-)
Fortunately, you are not completely right. What really happens is the following: when ZPublisher has located the object addressed by the request URL, it starts going back its way along PARENTS to find a UserFolder that can authenticate a user with sufficient permissions to call the object. If the object is unprotected, then no permissions are required. In this case, the top level UserFolder will return "Anonymous", if it is reached and it cannot authenticate the user. Therefore, an unprotected object can be called by Anonymous and in this case, "hasRole" is that of "Anonymous", as Chris reported. However, if previously a protected object has been accessed, then your browser may (and usually will) send Authentication information with all following requests. A UserFolder will use this information (if present) to authenticate the user, even if no permissions are necessary for object access. If successful, AUTHENTICATED_USER will not be "Anonymous" even though the accessed object is unprotected. Dieter