Hi all, I have installed Shanes VerboseSecurity. I am logged in as user robert However VerboseSecurity reports as foolows Unauthorized: Your user account does not have the required permission. Access to 'listFolderContents' of (PloneSite instance at 9d31850) denied. Your user account, Anonymous User, exists at (unknown). Access requires List_folder_contents_Permission, granted to the following roles: ['Manager', 'Owner']. Your roles in this context are ['Anonymous']. when I step through the code in DCWorkflow a call to getSecurityManager() is executed. the manager returned has a property _context. In this _context the authenticated user is listed as having no roles at all. Why is that so? This seems not to have any effect. I do not see any exception or requests to authenticate. But why do I have "temporariliy" the role Anonymous ? Thanks fo any explanation mit freundlichen GrĂ¼ssen Robert Rottermann www.redCOR.ch
robert wrote:
Hi all, I have installed Shanes VerboseSecurity. I am logged in as user robert
However VerboseSecurity reports as foolows
Unauthorized: ...
That is how HTTP works; first the request is sent anonymously, then if it is met with a 401 reponse it re-requests the resource with auth headers. Sometimes browsers will send auth headers with the first request for all requests beneath a similar resource path, but that is not mandatory and if done blindly could lead to credential leaks. -- Jamie Heilman http://audible.transient.net/~jamie/ "I was in love once -- a Sinclair ZX-81. People said, "No, Holly, she's not for you." She was cheap, she was stupid and she wouldn't load -- well, not for me, anyway." -Holly
Thanks Jamie, that explains things nicely. have a nice sunday Robert Am Sonntag, 22. Juni 2003 10:11 schrieb Jamie Heilman:
robert wrote:
Hi all, I have installed Shanes VerboseSecurity. I am logged in as user robert
However VerboseSecurity reports as foolows
Unauthorized: ...
That is how HTTP works; first the request is sent anonymously, then if it is met with a 401 reponse it re-requests the resource with auth headers. Sometimes browsers will send auth headers with the first request for all requests beneath a similar resource path, but that is not mandatory and if done blindly could lead to credential leaks.
-- mit freundlichen GrĂ¼ssen Robert Rottermann www.redCOR.ch
participants (2)
-
Jamie Heilman -
robert