[Zope] hasRole bug or feature in 2.2.?

Ron Bickers rbickers@logicetc.com
Fri, 12 Jan 2001 20:38:15 -0500


> -----Original Message-----
> From: zope-admin@zope.org [mailto:zope-admin@zope.org]On Behalf Of
> Dieter Maurer
> Sent: Friday, January 12, 2001 5:00 PM
> To: Chris McDonough
> Cc: zope@zope.org
> Subject: Re: [Zope] hasRole bug or feature in 2.2.?
>
>

>   However, if previously a protected object
>   has been accessed, then your browser may (and usually
>   will) send Authentication information with
>   all following requests.
>   A UserFolder will use this information (if present)
>   to authenticate the user, even if no permissions
>   are necessary for object access.
>   If successful, AUTHENTICATED_USER will not
>   be "Anonymous" even though the accessed object
>   is unprotected.

I think I understand, but correct me if I'm wrong.  The problem is that my
browser is not even *sending* the authentication information to the other
parts of the site until I first access a protected document at the root
level.  That is, the browser only continues to send auth info on levels at
and below where I've requested a protected document.  If that potected
document is at the root level, I get the auth info everywhere in the site.
Does this also mean that even after authenticating myself on one part of the
site, accessing a protected document on another part of the site may result
in an "unauthroized" response from Zope, to which my browser kindly responds
for me without me realizing it?

If this is true, it explains clearly Zope's behavior.  It's really a browser
"feature" and not a Zope issue at all.

Given that, is it fair to say that I can never really be sure that an
authenticated user (somewhere else on the site) accessing an unprotected
document has a given role?  Or would it be safe to assume that after
accessing a root protected document, hasRole() will return the "right"
answer anywhere in the site?

If I can't safely assume any of the above, would I be better off using a
session product to track a user after log in so I can determine their roles
from an unprotected document?  Any other ways?

My goal, BTW, is to avoid showing certain content on an otherwise public
page unless the authenticated user has the Member role.  If there is a
cleaner way to do this, I'm all ears.

Thanks!
_______________________

Ron Bickers
Logic Etc, Inc.
rbickers@logicetc.com