[Zope] RE: Every user should have the Anonymous role everywhere

Alan Capesius, MCSE capesiusa@sysmex.com
Sat, 1 Jul 2000 11:26:07 -0500


My suggestion for splitting the role or allowing an "anyone" or "public" role would allow "anonymous" to be maintained and used to identify users that are not authenticated. (This seems to be the norm now for DTML.)
The new role would basically be defined as "ignore all security and allow access"

Placing the alternate User Folder at the root and using hierarchical roles defined at the root level would make it more manageable, but it would have several drawbacks I can think of off hand: more complex management, shared security model in virtual servers, and difficult for newbies to implement security without locking themselves out of the entire system.

Perhaps a flag for "use security"/"don't use security" on this folder/object would be useful?

I haven't seen this submitted to the Bug Collector yet..

> > ----------
> > From: 	Chris Withers[SMTP:CHRISW@NIPLTD.COM]
> Dieter Maurer wrote:
> > In Zope, each user has a set of roles.
> > Any user has the "Anonymous" role. Log-in users may have
> > additional roles.
> 
> I'm not convinced this is true...
> 
> Quoting from the LoginManager CHANGES.TXT file:
> > Generic User Source, like the GenericUserFolder product it was 
> inspired by,
> > gave all users the Anonymous role. This seems to be incorrect 
> according to 
> > what other user folders do, including the standard Zope 
> version, so GUS now 
> > no longer does this.
> 
> ...which is why Alan experiences this problem. I've also run into it
> just using a normal acl_users folder and I've been mentioning every few
> months since I bumped into it back in March. Here's my opriginal post:
> 
> http://zope.nipltd.com/public/lists/dev-archive.nsf/ByKey/82AE22A20C7E88AE
> 
> I wish this could get sorted out as it makes security a nightmare unless
> you use a web of local roles, which is painful and messy to maintain.
> 
> Is there any reason why every user shouldn't have the anonymous role for
> every accessible page/object/thing visitable through a protocol?
> 
> cheers,
> 
> Chris
>