[Zope] repost: standard_error_message and roles

Flynt rhess@bic.ch
Tue, 29 May 2001 15:04:35 +0200


Danny William Adair wrote:
> 
> Hi!
> 
> Strange behavior...
> 
> While customizing my standard_error_message, I ran into a problem: Someone
> with the role "Member" is logged in and tries to access a resource that
> does not exist. Same could happen to someone who doesn't have that role
> (Anonymous). Now I have two different style sheets for members and
> non-members: A member might click on a broken link from within the
> members-only area (having a... pink background), the anonymous user clicked
> the same broken link from a publicly accessible area of the site (having
> a... silver background). I would like to keep the different background
> colors when showing my error message so I put a
> 
> <dtml-if "AUTHENTICATED_USER.has_role('Member')">
> <dtml-var "members_css">
> <dtml-else>
> <dtml-var "public_css">
> </dtml-if>
> 
> in the head section of standard_error_message (these *_css are ZStyleSheets)
> 
> My problem is, that it's always the public_css that's used.
> So I checked with
> <dtml-var "AUTHENTICATED_USER.getRoles()">
> in both the members area and standard_error_message. To my surprise the
> member role was gone:
> 
> In the members area - after authentication - getRoles() returned
> ('Member',)
> 
> while in standard_error_message ( _.str(error_type)=='NotFound' ) it returned
> ('Anonymous',)
> 
> btw, the role is not really "lost", I can go back to the members area and
> click through members-only pages without problems.
> 
> What's happening?

Hi Danny

Zope does *not* undertake a full authentication check, when a method is
accessed that is allowed to be accessed by *Anonymous*.

The ZServer only looks up the permission settings of the method
requested, and when it sees, that *Anonymous* has got the permission to
access it, it treats the user (i.e. AUTHENTICATED _USER) as *Anonymous
User* and serves the request. That is, why during serving the request
for the standard_error_message *AUTHENTICATED_USER* has the value of
'Anonymous User'.

Only if *Anonymous* hasn't got sufficient privilegies, ZServer checks on
the user and his roles.

Regards,

--- Flynt