repost: standard_error_message and roles
Hi! Strange behavior... While customizing my standard_error_message, I ran into a problem: Someone with the role "Member" is logged in and tries to access a resource that does not exist. Same could happen to someone who doesn't have that role (Anonymous). Now I have two different style sheets for members and non-members: A member might click on a broken link from within the members-only area (having a... pink background), the anonymous user clicked the same broken link from a publicly accessible area of the site (having a... silver background). I would like to keep the different background colors when showing my error message so I put a <dtml-if "AUTHENTICATED_USER.has_role('Member')"> <dtml-var "members_css"> <dtml-else> <dtml-var "public_css"> </dtml-if> in the head section of standard_error_message (these *_css are ZStyleSheets) My problem is, that it's always the public_css that's used. So I checked with <dtml-var "AUTHENTICATED_USER.getRoles()"> in both the members area and standard_error_message. To my surprise the member role was gone: In the members area - after authentication - getRoles() returned ('Member',) while in standard_error_message ( _.str(error_type)=='NotFound' ) it returned ('Anonymous',) btw, the role is not really "lost", I can go back to the members area and click through members-only pages without problems. What's happening?
Danny William Adair wrote:
Hi!
Strange behavior...
While customizing my standard_error_message, I ran into a problem: Someone with the role "Member" is logged in and tries to access a resource that does not exist. Same could happen to someone who doesn't have that role (Anonymous). Now I have two different style sheets for members and non-members: A member might click on a broken link from within the members-only area (having a... pink background), the anonymous user clicked the same broken link from a publicly accessible area of the site (having a... silver background). I would like to keep the different background colors when showing my error message so I put a
<dtml-if "AUTHENTICATED_USER.has_role('Member')"> <dtml-var "members_css"> <dtml-else> <dtml-var "public_css"> </dtml-if>
in the head section of standard_error_message (these *_css are ZStyleSheets)
My problem is, that it's always the public_css that's used. So I checked with <dtml-var "AUTHENTICATED_USER.getRoles()"> in both the members area and standard_error_message. To my surprise the member role was gone:
In the members area - after authentication - getRoles() returned ('Member',)
while in standard_error_message ( _.str(error_type)=='NotFound' ) it returned ('Anonymous',)
btw, the role is not really "lost", I can go back to the members area and click through members-only pages without problems.
What's happening?
Hi Danny Zope does *not* undertake a full authentication check, when a method is accessed that is allowed to be accessed by *Anonymous*. The ZServer only looks up the permission settings of the method requested, and when it sees, that *Anonymous* has got the permission to access it, it treats the user (i.e. AUTHENTICATED _USER) as *Anonymous User* and serves the request. That is, why during serving the request for the standard_error_message *AUTHENTICATED_USER* has the value of 'Anonymous User'. Only if *Anonymous* hasn't got sufficient privilegies, ZServer checks on the user and his roles. Regards, --- Flynt
participants (2)
-
Danny William Adair -
Flynt