[Zope-dev] Re: user roles & authentication
R. David Murray
bitz@bitdance.com
Mon, 11 Nov 2002 10:04:16 -0500 (EST)
On Sat, 9 Nov 2002, Grant K Rauscher wrote:
> > This is how the HTTP 1/1 specification requires it to be.
> > Your browser follows this spec.
>
> Dieter,
>
> I understand the HTTP spec... but ZOPE does not work that way.
>
> I can use methods which require roles above where I logged in. The
> methods used for returning the roles themselves do not correlate with ZOPE's
> own actions. Therefore ZOPE has an internal inconsistency regarding user
> authentication with basic HTTP authorization.
Zope has one security policy (you are authed from the user folder
you appear in on down), but basic auth has a different one that
requires that the browser only *send* the auth credentials at the
folder you *log in at* and down. So if you've logged in at the
"below" location, and subsequently visit a location between the
user folder and the log in point, the *browser* will not *send* the
auth credentials, so you are anonymous. If you then auth on that
new (higher) page, the browser will start sending the auth credentials.
--RDM
PS: it seems to me that not all browsers obey this, or perhaps some
send the auth for the higher level folders if challenged and if it
works don't prompt the user.