[Zope-dev] Re: [Zope] Re: Anonymous after logging in?

John Eikenberry jae@kavi.com
Fri, 26 Mar 1999 18:11:19 -0800 (PST)


(This was a one man thread of mine on zope@, it seemed to be getting more
techincal, so I thought I'd move it to zope-dev@...)

On Thu, 25 Mar 1999, John Eikenberry wrote:

> > I'm having a strange problem with logged in users getting to anonymous
> > areas of the site. Here's an simplified example to explain...
> > 
> > Two directories off the /
> > /private
> > /public
> > 
> > /private allows no access to "Anonymous User", requiring a login.
> > 
> > There are no usernames in /acl_users. All the user info for logging into
> > /private is kept in /private/acl_users. 
> > 
> > /public has no acl_users folder.
> > 
> > If you start up netscape, you can get to /public without any problems.
> > But once you've logged into /private, you can't get back to /public
> > without getting an unauthorized error...
> 
> Ok, the problem was that I had the roles defined on the top level folder
> and the users defined in the subfolder. By moving the roles into the
> subfolder, the problem went away.

Ack... I spoke to soon... but I've figured out a fix and I'd like to
bounce it off the group to see if you'd think it'd break anything. 

The fix was to modify AccessControl.User.validate()... here's a unified
diff showing what I changed...

@@ +390,10 -388,7 @@
         # Try to get user
         user=self.getUser(name)
         if user is None:
+            if self._isTop():
+                return self._nobody
+            else:
+                return None
-            return None

Key:
  self._nobody returns the Anonymous User object
  self.getUser tries to get the user object from an acl_users folder

The problem I was having, was that validate() was getting passed the
authentication information for the person who was defined in a subfolder
which it didn't have access to... so... the validate would return none,
which would raise the Unauthorized error. By having it return the
Anonymous User object (only at the top level), it allows access to public
areas without sacrificing security. 

Does this make sense... does anyone see any potential problems?

Thanks for any help,

---

John Eikenberry
[jae@kavi.com - http://taos.kavi.com/~jae/] 
______________________________________________________________
"A society that will trade a little liberty for a little order
 will deserve neither and lose both."
                                         --B. Franklin