[prev in list] [next in list] [prev in thread] [next in thread]
List: zope-dev
Subject: [Zope-dev] Re: Only anonymous in an Access Rule?
From: Evan Simpson <evan () 4-am ! com>
Date: 2002-09-30 18:48:39
[Download RAW message or body]
Chris Withers wrote:
> How come getSecurityManager().getUser() returns the Anonymous User in
> access rules? Surely some checks must have been done to see whether the
> folder containing the access rule can be traversed to?
>
> If not, then huh? I'm confused :-(
Access Rules trigger during publishing traversal, and authentication
isn't performed until publishing traversal is complete. Until traversal
is complete, Zope can't know which containers to check for User Folders.
Also, publishing traversal only checks __roles__ on the last object in
the traversal. This is very different than unrestrictedTraverse(), for
instance, which checks permissions at every traversal step. This means
that you can set security in a way that allows a user to access an
object via ZPublisher that they could not access programmatically.
Cheers,
Evan @ 4-am
_______________________________________________
Zope-Dev maillist - Zope-Dev@zope.org
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic