[Zope] role, user defined roles, and inclusion

[robert]

Chris Withers wrote:

> Hi Dennis,
>
> Dennis Allison wrote:
>
>> Are the standard roles (anonymous, authorized_user, manager) 
>> inclusive?  By inclusive I mean that an authorized_user is also 
>> treated as an
>> anonymous_user and that a manager is also anonymous and an
>> authorized_user.  
>
>
> Anonymous and Authenticated are two special roles.
>
> A user will have the Anonymous role iff they have not supplied any 
> authentication credentials.
>
> A user will have the Authenticated role iff they HAVE supplied 
> authentication credentials.
>
> A user will never have Authenticated and Anonymous roles at the same 
> time.
>
> For all other roles, the user has those roles or not. Having or not 
> having a role has no effect on having or not having any other role.
>
> The permissions a user has is the logical OR of all the permissions 
> mapped to all the roles the user has.
>
> eg:
>         Anonymous  Authenticated Manager Wizard
> BeAnon  x
> View    x          x             x
> Change             x
> Delete                           x
> Magik                                    x
>
> So, the anonymous user can view things, and is the only user who can 
> BeAnon
> A manager can View and Delete things, they can also Change things by 
> way of their being authenticated.
> A person with only the Wizard role will be able to do Magik as well as 
> change and view things by way of being authenticated.
> A user with Manager and Wizard roles will be able to view, change, 
> delete and do magik, but even that magik won't allow them to BeAnon ;-)
>
> HTH,
>
> Chris
>
Chris,
I *think* the security machinery is shortciruited when Anonymous has 
granted a permission.
In this case everybody has gets that permission granted.

Is that so ??

Robert