[Zope-dev] user roles & authentication

Grant K Rauscher Grant K Rauscher <grant7@sbcglobal.net>
Thu, 07 Nov 2002 11:41:14 -0800


    recently I noticed that methods for retrieving user roles are affected
by the URL from which the user logged in using basic authentication (as
opposed to the location of the user account).  I don't see any
authentication-related cookies at all from ZOPE, session or otherwise, just
basic http authorization.

    the problem is this: if one authenticates at a location deeper than
their user account, authorization should apply up to the level of the
account.  it does - any method requiring authorization is allowed to run
between the point of login and the user account - but when I test with *any*
of these routines between the point of login and the user account it shows
only 'Anonymous' - not the expected roles.

user.getRoles()
_.SecurityGetUser().getRoles()
user.has_role( roleName )

    visiting /manage or any other objects which require authorization works
between the user account and the point of login - in fact, after rendering
an object which would prompt for authorization if the only role were
*really* Anonymous the roles for that object and ones it contains are fixed
and show the expected results with getRoles() and has_role().

    this problem occurred with ZOPE 2.5.0 or 2.5.1, and IE 5.5 or NN 7.0

                                            Grant K Rauscher
                                            GeeKieR Enterprises
                                            http://www.geekier.com/