[Zope-dev] Re: user roles & authentication

R. David Murray bitz@bitdance.com
Mon, 11 Nov 2002 10:04:16 -0500 (EST)


On Sat, 9 Nov 2002, Grant K Rauscher wrote:
> > This is how the HTTP 1/1 specification requires it to be.
> > Your browser follows this spec.
>
> Dieter,
>
>     I understand the HTTP spec... but ZOPE does not work that way.
>
>     I can use methods which require roles above where I logged in.  The
> methods used for returning the roles themselves do not correlate with ZOPE's
> own actions.  Therefore ZOPE has an internal inconsistency regarding user
> authentication with basic HTTP authorization.

Zope has one security policy (you are authed from the user folder
you appear in on down), but basic auth has a different one that
requires that the browser only *send* the auth credentials at the
folder you *log in at* and down.  So if you've logged in at the
"below" location, and subsequently visit a location between the
user folder and the log in point, the *browser* will not *send* the
auth credentials, so you are anonymous.  If you then auth on that
new (higher) page, the browser will start sending the auth credentials.

--RDM

PS: it seems to me that not all browsers obey this, or perhaps some
send the auth for the higher level folders if challenged and if it
works don't prompt the user.