On Sat, 9 Nov 2002, Grant K Rauscher wrote:
> > This is how the HTTP 1/1 specification requires it to be.
> > Your browser follows this spec.
>
> Dieter,
>
> I understand the HTTP spec... but ZOPE does not work that way.
>
> I can use methods which require roles above where I logged in. The
> methods used for returning the roles themselves do not correlate with ZOPE's
> own actions. Therefore ZOPE has an internal inconsistency regarding user
> authentication with basic HTTP authorization.
Zope has one security policy (you are authed from the user folder
you appear in on down), but basic auth has a different one that
requires that the browser only *send* the auth credentials at the
folder you *log in at* and down. So if you've logged in at the
"below" location, and subsequently visit a location between the
user folder and the log in point, the *browser* will not *send* the
auth credentials, so you are anonymous. If you then auth on that
new (higher) page, the browser will start sending the auth credentials.
--RDM
PS: it seems to me that not all browsers obey this, or perhaps some
send the auth for the higher level folders if challenged and if it
works don't prompt the user.
___
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )