[Zope] Authentication, Anonymous and Public
Dieter Maurer
dieter@handshake.de
Tue, 4 Jul 2000 19:52:03 +0200 (CEST)
Stuart Bishop writes:
> On Fri, 30 Jun 2000, Dieter Maurer wrote:
> > In Zope, each user has a set of roles.
> > Any user has the "Anonymous" role. Log-in users may have
> > additional roles.
> >
> > Thus, what you see, should not happen.
>
> Users, by default, are not granted the 'Anonymous' role. If you
> explicity grant the Anonymous role to your users you will get the behaviour
> you want.
Let's discuss whether this is useful.
A user that does not log in, i.e. a user you know nothing of,
gets the "Anonymous" role automatically (at least with "acl_users").
A logged in user may not get the "Anonymous" role.
This does not provide additional security, because this
user may simply shut down his browser and access the page again
as anonymous user.
On the other hand, it may result in surprises: suddenly (after
a log on) I can no longer do things that I was able to do
before the log on.
I think, this should be changed.
Dieter