Re: [Zope] role, user defined roles, and inclusion
Chris Withers wrote at 2005-3-30 08:31 +0100: >Dennis Allison wrote: >> Are the standard roles (anonymous, authorized_user, manager) inclusive? Yes. These special roles are "inclusive" (as their name might suggest). > ... >A user will have the Anonymous role iff they have not supplied any >authentication credentials. Any user has the "Anonymous" role whether or not it is authenticated. >A user will have the Authenticated role iff they HAVE supplied >authentication credentials. Especially, any "Manager" has the "Authenticated" role (as it is authenticated). >A user will never have Authenticated and Anonymous roles at the same time. This is wrong. -- Dieter ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] role, user defined roles, and inclusion
Dieter, thanks for your clarifications. Is my assumption that granting a permission to Anonymous means granting it to anybody correct? Robert Dieter Maurer wrote: Chris Withers wrote at 2005-3-30 08:31 +0100: Dennis Allison wrote: Are the standard roles (anonymous, authorized_user, manager) inclusive? Yes. These special roles are "inclusive" (as their name might suggest). ... A user will have the Anonymous role iff they have not supplied any authentication credentials. Any user has the "Anonymous" role whether or not it is authenticated. A user will have the Authenticated role iff they HAVE supplied authentication credentials. Especially, any "Manager" has the "Authenticated" role (as it is authenticated). A user will never have Authenticated and Anonymous roles at the same time. This is wrong. ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] role, user defined roles, and inclusion
Dieter Maurer wrote:
A user will have the Anonymous role iff they have not supplied any
authentication credentials.
Any user has the "Anonymous" role whether or not it is authenticated.
Really?
Then how come the following script:
from AccessControl import getSecurityManager
user = getSecurityManager().getUser()
print user.getRoles()
return printed
returns ('Manager', 'Authenticated') when logged in as a manager and
('Anonymous',) when anonymous?
A user will never have Authenticated and Anonymous roles at the same time.
This is wrong.
See above.
Chris
--
Simplistix - Content Management, Zope & Python Consulting
- http://www.simplistix.co.uk
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] role, user defined roles, and inclusion
Chris Withers <[EMAIL PROTECTED]> wrote:
> Dieter Maurer wrote:
> >>A user will have the Anonymous role iff they have not supplied any
> >>authentication credentials.
> >
> > Any user has the "Anonymous" role whether or not it is authenticated.
>
> Really?
>
> Then how come the following script:
>
> from AccessControl import getSecurityManager
> user = getSecurityManager().getUser()
> print user.getRoles()
> return printed
>
> returns ('Manager', 'Authenticated') when logged in as a manager
This queries the user object, and returns all roles the implementation
decided to return. Standard user folder only returns 'Authenticated' in
addition to the roles explicitely given to that user
(FWIW in CPSUserFolder we chose to return Authenticated as well as
Anonymous to be consistent.)
> and ('Anonymous',) when anonymous?
>
> >>A user will never have Authenticated and Anonymous roles at the same time.
> >
> > This is wrong.
>
> See above.
...but from the security machinery's point of view, if an object or
method is protected by a permission given to the role Anonymous, then
any user will have access. ImplPython.validate has:
# Short-circuit tests if we can:
try:
if roles is None or 'Anonymous' in roles:
return 1
(roles here is the roles issued from the permission on the object considered.)
Florent
--
Florent Guillaume, Nuxeo (Paris, France) CTO, Director of R&D
+33 1 40 33 71 59 http://nuxeo.com [EMAIL PROTECTED]
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] role, user defined roles, and inclusion
Florent Guillaume wrote:
from AccessControl import getSecurityManager
user = getSecurityManager().getUser()
print user.getRoles()
return printed
returns ('Manager', 'Authenticated') when logged in as a manager
This queries the user object, and returns all roles the implementation
decided to return.
Are you implying that something else gives the user the Anonymous role
as far as Zope security is concerned?
Standard user folder only returns 'Authenticated' in
addition to the roles explicitely given to that user
Indeed, but they don't give Anonymous to any user who has provided
successful auth credentials.
(FWIW in CPSUserFolder we chose to return Authenticated as well as
Anonymous to be consistent.)
In what context? Providing both Authenticated and Anonymous on the same
user at the same time seems bizarre ;-)
...but from the security machinery's point of view, if an object or
method is protected by a permission given to the role Anonymous, then
any user will have access. ImplPython.validate has:
# Short-circuit tests if we can:
try:
if roles is None or 'Anonymous' in roles:
return 1
(roles here is the roles issued from the permission on the object considered.)
Indeed, this is a little wart but one that makes sense. It doesn't,
however, mean that Authenticated users have the Anonymous role, which wa
the original question.
However, my example was incorrect, since provided anonymous can BeAnon,
then so can anyone else, which is a little odd, but doesn't really
matter in the grand scheme of things...
cheers,
Chris
--
Simplistix - Content Management, Zope & Python Consulting
- http://www.simplistix.co.uk
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] role, user defined roles, and inclusion
Chris Withers <[EMAIL PROTECTED]> wrote: > > (FWIW in CPSUserFolder we chose to return Authenticated as well as > > Anonymous to be consistent.) > > In what context? Providing both Authenticated and Anonymous on the same > user at the same time seems bizarre ;-) When doing user.getRoles(). Because as Tres said more clearly than me, every user can do what the Anonymous role can, so it's just being consistent to express that in user.getRoles(). IMHO. Florent -- Florent Guillaume, Nuxeo (Paris, France) CTO, Director of R&D +33 1 40 33 71 59 http://nuxeo.com [EMAIL PROTECTED] ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] role, user defined roles, and inclusion
Chris Withers wrote at 2005-3-31 12:26 +0100:
>Dieter Maurer wrote:
>> Any user has the "Anonymous" role whether or not it is authenticated.
>
>Really?
> ...
>print user.getRoles()
> ...
>
>returns ('Manager', 'Authenticated') when logged in as a manager and
>('Anonymous',) when anonymous?
>
>>>A user will never have Authenticated and Anonymous roles at the same time.
>>
>> This is wrong.
>
>See above.
As others already pointed out:
There is an inconsistency between what "getRoles()" returns
and what roles a user *effectively* has.
The inconsistency might be justified as follows:
When every user has invariably the "Anonymous" role,
this can just be taken a general default that need
not be expressed in "getRoles()".
--
Dieter
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] role, user defined roles, and inclusion
robert wrote at 2005-3-31 07:22 +0200: >Is my assumption that granting a permission to Anonymous means granting >it to anybody correct? Correct. -- Dieter ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] role, user defined roles, and inclusion
Dieter Maurer wrote: robert wrote at 2005-3-31 07:22 +0200: Is my assumption that granting a permission to Anonymous means granting it to anybody correct? Correct. Actually, I don't think that is strictly true! And it reminds me of a period of confusion I went through a few months ago, when I was convinced that either I did not understand how roles were supposed to work or that there were bugs in the implementation. It turned out that I had cut and paste a folder with its own own View permissions into another folder with incompatible View permissions. I have forgotten the exact details but I think I had the Manager role in the outer folder but only the Authenticated role in the inner folder. I had totally forgotten that I had been fiddling with the View permissions days or weeks before. So for the original questioner: check that you have not shot yourself in the foot too! Cliff ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] role, user defined roles, and inclusion
Cliff Ford wrote: Dieter Maurer wrote: robert wrote at 2005-3-31 07:22 +0200: Is my assumption that granting a permission to Anonymous means granting it to anybody correct? Correct. Actually, I don't think that is strictly true! And it reminds me of a period of confusion I went through a few months ago, when I was convinced that either I did not understand how roles were supposed to work or that there were bugs in the implementation. It turned out that I had cut and paste a folder with its own own View permissions into another folder with incompatible View permissions. I have forgotten the exact details but I think I had the Manager role in the outer folder but only the Authenticated role in the inner folder. I had totally forgotten that I had been fiddling with the View permissions days or weeks before. So for the original questioner: check that you have not shot yourself in the foot too! Yeas that can happen. However it does not deviate from the stated behaviour. In your case the needed permission was NOT granted to anonymous. Robert ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] role, user defined roles, and inclusion
Florent Guillaume wrote: When doing user.getRoles(). Because as Tres said more clearly than me, every user can do what the Anonymous role can, so it's just being consistent to express that in user.getRoles(). IMHO. Well yours is the only userfolder implementation that does. While I agree in the security short circuiting code, I think having a getRoles return Anonymous and Authenticated at the same time is bizarre... Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] role, user defined roles, and inclusion
Chris Withers wrote: Florent Guillaume wrote: When doing user.getRoles(). Because as Tres said more clearly than me, every user can do what the Anonymous role can, so it's just being consistent to express that in user.getRoles(). IMHO. Well yours is the only userfolder implementation that does. While I agree in the security short circuiting code, I think having a getRoles return Anonymous and Authenticated at the same time is bizarre... I understand it could be viewed that way. Anyway we haven't found any problem in doing this. I'll look if it can be removed safely. OTOH Anonymous and Authenticated really shouldn't be roles but groups, and indeed in CPS we have special groups representing Anonymous and Authenticated. That makes things *much* more orthogonal, and local roles (local group roles actually) can be used with them to assign rights. But I digress. Florent -- Florent Guillaume, Nuxeo (Paris, France) CTO, Director of R&D +33 1 40 33 71 59 http://nuxeo.com [EMAIL PROTECTED] ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] role, user defined roles, and inclusion
Florent Guillaume wrote: OTOH Anonymous and Authenticated really shouldn't be roles but groups, and indeed in CPS we have special groups representing Anonymous and Authenticated. That makes things *much* more orthogonal, and local roles (local group roles actually) can be used with them to assign rights. But I digress. I find the distinction between roles and groups to be useless ;-) Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] role, user defined roles, and inclusion
Chris Withers wrote at 2005-4-4 14:14 +0100: >Florent Guillaume wrote: >> OTOH Anonymous and Authenticated really shouldn't be roles but groups, >> and indeed in CPS we have special groups representing Anonymous and >> Authenticated. That makes things *much* more orthogonal, and local roles >> (local group roles actually) can be used with them to assign rights. But >> I digress. > >I find the distinction between roles and groups to be useless ;-) A role that does not fit well into the group concept is the "Owner" role. -- Dieter ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
