[Zope] Problem with AUTHENTICATED_USER.has_role('X')"

[Dieter Maurer]

complaw@hal-pc.org writes:
 > ...
 > The authentication scheme calls a DTML Method
 > (named "logger") that has security settings such that the challenge/response
 > routine is initiated.  Once the user is able to run logger, it takes them back
 > to the index_html file (with the standard_html_header file mentioned above). 
 > When comming from the logger object, the menu is constructed correctly
 > (according to the user's role).  However, when coming back to index_html from
 > somewhere else (say another folder), it goes back to the non-authenticated menu
 > as if I never logged in (i.e., the code of the AUTHENTICATED_USER has somehow
 > changed or is being ignored).
According to the HTTP specification, a browser should automatically
add authentication information for requests at the same level or
below the object which required the authentication.

Thus, URLs going to a different subtree with not automatically
get authentication information and are apparently accessed
by "Annonymous".
Workaround: Move your "logger" into the root of your Website.

Some browsers (prominent example, early versions of IE 5.0)
do not follow the HTTP "should" specification.
If you have such a browser, upgrade to something better.


Dieter