[Zope-dev] Re: Only anonymous in an Access Rule?
Evan Simpson
evan@4-am.com
Mon, 30 Sep 2002 13:48:39 -0500
Chris Withers wrote:
> How come getSecurityManager().getUser() returns the Anonymous User in
> access rules? Surely some checks must have been done to see whether the
> folder containing the access rule can be traversed to?
>
> If not, then huh? I'm confused :-(
Access Rules trigger during publishing traversal, and authentication
isn't performed until publishing traversal is complete. Until traversal
is complete, Zope can't know which containers to check for User Folders.
Also, publishing traversal only checks __roles__ on the last object in
the traversal. This is very different than unrestrictedTraverse(), for
instance, which checks permissions at every traversal step. This means
that you can set security in a way that allows a user to access an
object via ZPublisher that they could not access programmatically.
Cheers,
Evan @ 4-am