[Zope] Should everyone always have 'Anonymous' role?

Stefan H. Holek stefan at epy.co.at
Thu Aug 7 16:08:49 EDT 2003 

I still think he is wrong ;-) [Hi Jens!]

Some excerpts from AccessControl/User.py:

  nobody=SpecialUser('Anonymous User','',('Anonymous',), [])

  class BasicUser(Implicit):

      def allowed(self, object, object_roles=None):
          """Check whether the user has access to object. The user must
             have one of the roles in object_roles to allow access."""

          if object_roles is _what_not_even_god_should_do: return 0

          # Short-circuit the common case of anonymous access.
          if object_roles is None or 'Anonymous' in object_roles:
              return 1
          ...

  class SimpleUser(BasicUser):

      def getRoles(self):
          """Return the list of roles assigned to a user."""
          if self.name == 'Anonymous User': return tuple(self.roles)
          else: return tuple(self.roles) + ('Authenticated',)


AFAICS only nobody has role 'Anonymous', ever. And - looking at allowed - 
there does not seem to be any benefit in having the 'Anonymous' role, 
because the check for anonymous access is short-circuited and never reaches 
proper role comparison anyway...

I've been writing some user folders lately, and what Jens observed never 
occured to me.

I agree that the 'Anonymous' role must always be defined in the *system* or 
all kinds of breakage will occur (you should be able to see it in the 
'Security' tab). I do however not see why it should be necessary to give 
'Anonymous' to *users* other than nobody. I do also not see where this 
would be done in case it was.

So, Jens, please show us the code ;-)

Stefan



--On Mittwoch, 06. August 2003 17:13 +0200 Jean Jordaan 
<jean at upfrontsystems.co.za> wrote:

>> I suspect that's a bug in LDAPUserFolder, I'd let the author know ;-)
>
> So did I, and I did, but Jens is positive it's needed. From
> our mails:
>
> """
> Anonymous *must always be there* for Zope to work correctly. Taking it
> out leads to a lot of breakage all over. [...]
> That test is simply flawed. Test for "Authenticated" instead. There is
> nowhere where this can be found in the docs I believe, I found it by
> trial and error.
> """

--
The time has come to start talking about whether the emperor is as well
dressed as we are supposed to think he is.               /Pete McBreen/

More information about the Zope mailing list