[Zope] hasRole bug or feature in 2.2.?

Chris McDonough chrism@digicool.com
Thu, 11 Jan 2001 18:25:00 -0500 

You're gonna laugh.  Get ready.

You didn't protect the isMember document.  It's viewable by Anonymous.  The
Zope security machinery short-circuits authentication for resources that
don't require it.  This means that when you view a resource that's
unprotected, you view it "as Anonymous".  Anonymous doesn't have the Member
role, so you see "You are NOT a Member" when you view /isMember.

I don't particularly like this behavior, but it seems not to bother anyone
else.  I think it should authorize you and set AUTHENTICATED_USER if you
pass in auth info regardless of the protection on the resource you're trying
to view.

----- Original Message -----
From: "Ron Bickers" <rbickers@logicetc.com>
To: <zope@zope.org>
Sent: Thursday, January 11, 2001 5:01 PM
Subject: [Zope] hasRole bug or feature in 2.2.?


> I'm having a problem with AUTHENTICATED_USER.hasRole()
>
> I have a user with the role 'Member' defined at the root level (and
nowhere
> else).  I also have the following DTML method at the root level:
>
>   <dtml-if "REQUEST['AUTHENTICATED_USER'].hasRole(PARENTS[-1],
['Member'])">
>   You are a Member.
>   <dtml-else>
>   Your are NOT a Member.
>   </dtml-if>
>
> When I first request the protected document /Bogus/membersonly, I'm
prompted
> to log in.  When I do, I get access to the /Bogus/membersonly document.
> Then when I request /Bogus/isMember, it says I am a Member.  However, when
I
> request /isMember, it says I am NOT a Member.  Anywhere I request
isMember,
> other than in the /Bogus folder, I am NOT a Member, even though the user
is
> defined at the root level with the Member role.
>
> If I then request a protected document /membersonly, it shows me the
> document without prompt.  After I do that, when I request /isMember or
> /AnyFolder/isMember, it now tells me I am a Member.
>
> Why does it not recognize that I'm a user with the Member role anywhere on
> the site until I access a protected document at the root level?  Is this
by
> design or a bug?  If by design, what's the reasoning?
>
> Thanks!
> _______________________
>
> Ron Bickers
> Logic Etc, Inc.
> rbickers@logicetc.com
>
>
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )
>
>