Im having some weird problems with AUTHENTICATED_USER... I have a form that calls a function called "newReport" using the following code <form> <input type=submit name="newReport:method" value="New"> </form> Although I am logged in as the user "techy1", if I access AUTHENTICATED_USER from within newReport using the following code: user = str(self.REQUEST.AUTHENTICATED_USER) I get 'Anonymous User'. However the code still runs with the permissions of techy1 if I call newReport normally (<form action="newReport">) everything works correctly. Any ideas?
James Davies wrote at 2003-12-18 11:50 +1000:
Im having some weird problems with AUTHENTICATED_USER... ... Although I am logged in as the user "techy1",
HTTP does not have the notion of "logged in". What you see is an emulation of this notion that is not reliable...
if I access AUTHENTICATED_USER from within newReport using the following code:
user = str(self.REQUEST.AUTHENTICATED_USER)
I get 'Anonymous User'. However the code still runs with the permissions of techy1
Are you using an old Zope version? Older Zope versions only performed authentication for protected objects. If you are using a new Zope version (2.6.x or above), then either someone modified "AUTHENTICATED_USER" (not likely -- in this case, you could use: from AccessControl import getSecurityManager user = getSecurityManager().getUser() ) or your browser did not send authentication information. Browsers are allowed by HTTP 1.1 not to send authentication information. However, they should (this is not a *must*) send authentication information into subhierarchies where some object in the top level required authentication. This rule implies that the place where you had to login determines the subhierarchy into which authentication information is send to. This can explain effects you have observed. -- Dieter
participants (2)
-
Dieter Maurer -
James Davies