On Sat, 9 Nov 2002, Grant K Rauscher wrote: > > This is how the HTTP 1/1 specification requires it to be. > > Your browser follows this spec. > > Dieter, > > I understand the HTTP spec... but ZOPE does not work that way. > > I can use methods which require roles above where I logged in. The > methods used for returning the roles themselves do not correlate with ZOPE's > own actions. Therefore ZOPE has an internal inconsistency regarding user > authentication with basic HTTP authorization.
Zope has one security policy (you are authed from the user folder you appear in on down), but basic auth has a different one that requires that the browser only *send* the auth credentials at the folder you *log in at* and down. So if you've logged in at the "below" location, and subsequently visit a location between the user folder and the log in point, the *browser* will not *send* the auth credentials, so you are anonymous. If you then auth on that new (higher) page, the browser will start sending the auth credentials. --RDM PS: it seems to me that not all browsers obey this, or perhaps some send the auth for the higher level folders if challenged and if it works don't prompt the user. _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )