I had the same experience, and after researching it a little, I found that if Zope is asked to perform an action (render a dtml method, call a python script, etc) and that action can be done by the 'Anonymous' role, then Zope doesn't even bother to look at the user's credentials, because it knows that the action is already allowed, no matter what other roles the user has. In those cases, I believe Zope performs the action, passing in a generic anonymous user instead of passing in the actual credentials. That caused trouble for me, when I wanted to call the getUser method and it was giving me the Anonymous user. BUT... If I remember right, you can get the user explicitly by using the 'AUTHENTICATED_USER' of your REQUEST. Here's a little bit of my code that I think might work for what you're asking. <dtml-call "REQUEST.set('roles',['Anonymous',]) <dtml-if AUTHENTICATED_USER> <dtml-call "REQUEST.set('roles',AUTHENTICATED_USER.getRoles())"> </dtml-if> This works for me, but while I'm only trying to be helpful, I might be both misunderstanding your needs, as well as feeding you false information, because I'm only as experienced in this part of Zope to get my own stuff working to my liking. I hope it helps, but If I'm wrong, somebody please correct me... :Paul
the problem is this: if one authenticates at a location deeper than their user account, authorization should apply up to the level of the account. it does - any method requiring authorization is allowed to run between the point of login and the user account - but when I test with *any* of these routines between the point of login and the user account it shows only 'Anonymous' - not the expected roles.
user.getRoles() _.SecurityGetUser().getRoles() user.has_role( roleName )
visiting /manage or any other objects which require authorization works between the user account and the point of login - in fact, after rendering an object which would prompt for authorization if the only role were *really* Anonymous the roles for that object and ones it contains are fixed and show the expected results with getRoles() and has_role().
this problem occurred with ZOPE 2.5.0 or 2.5.1, and IE 5.5 or NN 7.0