[Zope] role, user defined roles, and inclusion

[Chris Withers]

Florent Guillaume wrote:
>>from AccessControl import getSecurityManager
>>user = getSecurityManager().getUser()
>>print user.getRoles()
>>return printed
>>
>>returns ('Manager', 'Authenticated') when logged in as a manager
> 
> This queries the user object, and returns all roles the implementation
> decided to return. 

Are you implying that something else gives the user the Anonymous role 
as far as Zope security is concerned?

> Standard user folder only returns 'Authenticated' in
> addition to the roles explicitely given to that user....

Indeed, but they don't give Anonymous to any user who has provided 
successful auth credentials.

> (FWIW in CPSUserFolder we chose to return Authenticated as well as
> Anonymous to be consistent.)

In what context? Providing both Authenticated and Anonymous on the same 
user at the same time seems bizarre ;-)

> ...but from the security machinery's point of view, if an object or
> method is protected by a permission given to the role Anonymous, then
> any user will have access. ImplPython.validate has:
>         # Short-circuit tests if we can:
>         try:
>             if roles is None or 'Anonymous' in roles:
>                 return 1
> (roles here is the roles issued from the permission on the object considered.)

Indeed, this is a little wart but one that makes sense. It doesn't, 
however, mean that Authenticated users have the Anonymous role, which wa 
the original question.

However, my example was incorrect, since provided anonymous can BeAnon, 
then so can anyone else, which is a little odd, but doesn't really 
matter in the grand scheme of things...

cheers,

Chris

-- 
Simplistix - Content Management, Zope & Python Consulting
            - http://www.simplistix.co.uk