[Zope] role, user defined roles, and inclusion

Florent Guillaume fg at nuxeo.com
Thu Mar 31 19:13:09 EST 2005


Chris Withers  <chris at simplistix.co.uk> wrote:
> Dieter Maurer wrote:
> >>A user will have the Anonymous role iff they have not supplied any 
> >>authentication credentials.
> > 
> > Any user has the "Anonymous" role whether or not it is authenticated.
> 
> Really?
> 
> Then how come the following script:
> 
> from AccessControl import getSecurityManager
> user = getSecurityManager().getUser()
> print user.getRoles()
> return printed
> 
> returns ('Manager', 'Authenticated') when logged in as a manager

This queries the user object, and returns all roles the implementation
decided to return. Standard user folder only returns 'Authenticated' in
addition to the roles explicitely given to that user....

(FWIW in CPSUserFolder we chose to return Authenticated as well as
Anonymous to be consistent.)

> and ('Anonymous',) when anonymous?
> 
> >>A user will never have Authenticated and Anonymous roles at the same time.
> > 
> > This is wrong.
> 
> See above.

...but from the security machinery's point of view, if an object or
method is protected by a permission given to the role Anonymous, then
any user will have access. ImplPython.validate has:
        # Short-circuit tests if we can:
        try:
            if roles is None or 'Anonymous' in roles:
                return 1
(roles here is the roles issued from the permission on the object considered.)

Florent

-- 
Florent Guillaume, Nuxeo (Paris, France)   CTO, Director of R&D
+33 1 40 33 71 59   http://nuxeo.com   fg at nuxeo.com


More information about the Zope mailing list