[Zope] hasRole bug or feature in 2.2.?

[Dieter Maurer]

Chris McDonough writes:
 > You didn't protect the isMember document.  It's viewable by Anonymous.  The
 > Zope security machinery short-circuits authentication for resources that
 > don't require it.  This means that when you view a resource that's
 > unprotected, you view it "as Anonymous".  Anonymous doesn't have the Member
 > role, so you see "You are NOT a Member" when you view /isMember.
 > 
 > I don't particularly like this behavior, but it seems not to bother anyone
 > else.  I think it should authorize you and set AUTHENTICATED_USER if you
 > pass in auth info regardless of the protection on the resource you're trying
 > to view.
It would bother me a lot, if you were right :-)

Fortunately, you are not completely right.

What really happens is the following:

  when ZPublisher has located the object addressed by
  the request URL, it starts going back its way
  along PARENTS to find a UserFolder that can
  authenticate a user with sufficient permissions
  to call the object.

  If the object is unprotected, then no permissions
  are required. In this case, the top level
  UserFolder will return "Anonymous",
  if it is reached and it cannot authenticate the
  user.
  Therefore, an unprotected object can be
  called by Anonymous and in this case,
  "hasRole" is that of "Anonymous", as Chris
  reported.

  However, if previously a protected object
  has been accessed, then your browser may (and usually
  will) send Authentication information with
  all following requests.
  A UserFolder will use this information (if present)
  to authenticate the user, even if no permissions
  are necessary for object access.
  If successful, AUTHENTICATED_USER will not
  be "Anonymous" even though the accessed object
  is unprotected.


Dieter