Should everyone always have 'Anonymous' role?
Hi all I used to test for <tr tal:condition="python:'Anonymous' not in user.getRoles()"> before switching to LDAPUserFolder, and it used to work. When I switched, it stopped working, and I found this in LDAPUserFolder's 'Configure.stx': 'Default User Roles' -- All users authenticated from your ldap tree will be given the roles you put into this comma-delimited list. Zope expects all users - anonymous as well as authenticated - to have the role Anonymous. I wasn't aware of that. Why does an authenticated user need to have Anonymous as a role? (I'm trying to get to http://www.zope.org/Documentation/Books/ZopeBook/2_6Edition/Security.stx but it's down now: While trying to retrieve the URL: http://12.155.117.33:8082/VirtualHostBase/http/zope.org:80/zopeorg/VirtualHo... The following error was encountered: * Connection Failed ) -- Jean Jordaan http://www.upfrontsystems.co.za
Hi Jean! I am pretty sure that only the 'Anonymous User' has (and should have) the 'Anonymous' role. OTOH it does probably not hurt to have it, even as authenticated user. Well, apart from your condition that is... ;-) Stefan --On Dienstag, 05. August 2003 15:22 +0200 Jean Jordaan <jean@upfrontsystems.co.za> wrote:
'Default User Roles' -- All users authenticated from your ldap tree will be given the roles you put into this comma-delimited list. Zope expects all users - anonymous as well as authenticated - to have the role Anonymous.
I wasn't aware of that. Why does an authenticated user need to have Anonymous as a role?
-- The time has come to start talking about whether the emperor is as well dressed as we are supposed to think he is. /Pete McBreen/
Jean Jordaan wrote:
this comma-delimited list. Zope expects all users - anonymous as well as authenticated - to have the role Anonymous.
I wasn't aware of that. Why does an authenticated user need to have Anonymous as a role?
I suspect that's a bug in LDAPUserFolder, I'd let the author know ;-) Chris
I suspect that's a bug in LDAPUserFolder, I'd let the author know ;-)
So did I, and I did, but Jens is positive it's needed. From our mails: """ Anonymous *must always be there* for Zope to work correctly. Taking it out leads to a lot of breakage all over. [...] That test is simply flawed. Test for "Authenticated" instead. There is nowhere where this can be found in the docs I believe, I found it by trial and error. """ -- Jean Jordaan http://www.upfrontsystems.co.za
I still think he is wrong ;-) [Hi Jens!] Some excerpts from AccessControl/User.py: nobody=SpecialUser('Anonymous User','',('Anonymous',), []) class BasicUser(Implicit): def allowed(self, object, object_roles=None): """Check whether the user has access to object. The user must have one of the roles in object_roles to allow access.""" if object_roles is _what_not_even_god_should_do: return 0 # Short-circuit the common case of anonymous access. if object_roles is None or 'Anonymous' in object_roles: return 1 ... class SimpleUser(BasicUser): def getRoles(self): """Return the list of roles assigned to a user.""" if self.name == 'Anonymous User': return tuple(self.roles) else: return tuple(self.roles) + ('Authenticated',) AFAICS only nobody has role 'Anonymous', ever. And - looking at allowed - there does not seem to be any benefit in having the 'Anonymous' role, because the check for anonymous access is short-circuited and never reaches proper role comparison anyway... I've been writing some user folders lately, and what Jens observed never occured to me. I agree that the 'Anonymous' role must always be defined in the *system* or all kinds of breakage will occur (you should be able to see it in the 'Security' tab). I do however not see why it should be necessary to give 'Anonymous' to *users* other than nobody. I do also not see where this would be done in case it was. So, Jens, please show us the code ;-) Stefan --On Mittwoch, 06. August 2003 17:13 +0200 Jean Jordaan <jean@upfrontsystems.co.za> wrote:
I suspect that's a bug in LDAPUserFolder, I'd let the author know ;-)
So did I, and I did, but Jens is positive it's needed. From our mails:
""" Anonymous *must always be there* for Zope to work correctly. Taking it out leads to a lot of breakage all over. [...] That test is simply flawed. Test for "Authenticated" instead. There is nowhere where this can be found in the docs I believe, I found it by trial and error. """
-- The time has come to start talking about whether the emperor is as well dressed as we are supposed to think he is. /Pete McBreen/
Jean Jordaan wrote:
I suspect that's a bug in LDAPUserFolder, I'd let the author know ;-)
So did I, and I did, but Jens is positive it's needed. From our mails:
Well, I'm with Stephan on this one, perhaps you could persuade Jens to respond? ;-) Chris
participants (3)
-
Chris Withers -
Jean Jordaan -
Stefan H. Holek