[Zope] hasRole bug or feature in 2.2.?

Chris McDonough chrism@digicool.com
Sat, 13 Jan 2001 16:35:41 -0500 

Thank god for Dieter.  :-)

I'll trust that you're right, Dieter, because reading the traversal
machinery code makes my head hurt.  :-)

----- Original Message -----
From: "Dieter Maurer" <dieter@handshake.de>
To: "Chris McDonough" <chrism@digicool.com>
Cc: <zope@zope.org>
Sent: Friday, January 12, 2001 5:00 PM
Subject: Re: [Zope] hasRole bug or feature in 2.2.?


> Chris McDonough writes:
>  > You didn't protect the isMember document.  It's viewable by Anonymous.
The
>  > Zope security machinery short-circuits authentication for resources
that
>  > don't require it.  This means that when you view a resource that's
>  > unprotected, you view it "as Anonymous".  Anonymous doesn't have the
Member
>  > role, so you see "You are NOT a Member" when you view /isMember.
>  >
>  > I don't particularly like this behavior, but it seems not to bother
anyone
>  > else.  I think it should authorize you and set AUTHENTICATED_USER if
you
>  > pass in auth info regardless of the protection on the resource you're
trying
>  > to view.
> It would bother me a lot, if you were right :-)
>
> Fortunately, you are not completely right.
>
> What really happens is the following:
>
>   when ZPublisher has located the object addressed by
>   the request URL, it starts going back its way
>   along PARENTS to find a UserFolder that can
>   authenticate a user with sufficient permissions
>   to call the object.
>
>   If the object is unprotected, then no permissions
>   are required. In this case, the top level
>   UserFolder will return "Anonymous",
>   if it is reached and it cannot authenticate the
>   user.
>   Therefore, an unprotected object can be
>   called by Anonymous and in this case,
>   "hasRole" is that of "Anonymous", as Chris
>   reported.
>
>   However, if previously a protected object
>   has been accessed, then your browser may (and usually
>   will) send Authentication information with
>   all following requests.
>   A UserFolder will use this information (if present)
>   to authenticate the user, even if no permissions
>   are necessary for object access.
>   If successful, AUTHENTICATED_USER will not
>   be "Anonymous" even though the accessed object
>   is unprotected.
>
>
> Dieter
>
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )
>
>