[Zope] AUTHENTICATED_USER and :method calls

Dieter Maurer dieter at handshake.de
Sat Dec 20 07:07:47 EST 2003


James Davies wrote at 2003-12-18 11:50 +1000:
>Im having some weird problems with AUTHENTICATED_USER...
> ...
>Although I am logged in as the user "techy1",

HTTP does not have the notion of "logged in".
What you see is an emulation of this notion that is not reliable...

>if I access
>AUTHENTICATED_USER from within newReport using the following code:
>
>user = str(self.REQUEST.AUTHENTICATED_USER)
>
>I get 'Anonymous User'. However the code still runs with the permissions
>of techy1

Are you using an old Zope version?

Older Zope versions only performed authentication for protected
objects.

If you are using a new Zope version (2.6.x or above),
then either someone modified "AUTHENTICATED_USER" (not
likely -- in this case, you could use:

       from AccessControl import getSecurityManager
       user = getSecurityManager().getUser()

) or your browser did not send authentication information.

Browsers are allowed by HTTP 1.1 not to send authentication information.
However, they should (this is not a *must*) send authentication information
into subhierarchies where some object in the top level required authentication.
This rule implies that the place where you had to login determines
the subhierarchy into which authentication information is send to.
This can explain effects you have observed.

-- 
Dieter



More information about the Zope mailing list