[Zope] Authentication, Anonymous and Public
Brian Lloyd
Brian@digicool.com
Wed, 5 Jul 2000 10:19:02 -0400
> > A user that does not log in, i.e. a user you know nothing of,
> > gets the "Anonymous" role automatically (at least with "acl_users").
> > A logged in user may not get the "Anonymous" role.
> >
> > This does not provide additional security, because this
> > user may simply shut down his browser and access the page again
> > as anonymous user.
> > On the other hand, it may result in surprises: suddenly (after
> > a log on) I can no longer do things that I was able to do
> > before the log on.
> >
> > I think, this should be changed.
>
> I agree, and I've said so, many times before ;-)
>
> Chris
Guys -
I'm looking at the security code, and the intent is
that if 'Anonymous' is in the roles required to access
an object, the user is allowed (even though he may not
have been given the 'Anonymous' role explicitly).
This appears to be the case both in 2.1.x and the new
2.2.x security policy - I've been trying to replicate
the problem you are referring to but I must be missing
something. My test case was:
o create a user 'test', giving him only 'test_role'
o create a dtml document object with default security
(anonymous has 'View' permission)
o give users with 'test_role' 'View mgmt screens' on
the dtml document.
o in a new browser, visit doc/manage to force login
as 'test' with 'test_role'
o try to view the doc normally ('View' is only given
to anonymous), which works as expected
Can you give me a scenario that shows the problem so
that I can reproduce it? (walk me through what objects
to create, what permissions to give, how to try to
access them). This should be done with standard built-in
User/UserFolders if possible.
Thanks!
Brian Lloyd brian@digicool.com
Software Engineer 540.371.6909
Digital Creations http://www.digicool.com