Comment 2 for bug 142943

> 1. manage_workspace is only protected by the Authenticated role, and that
> is done directly, not even through a permission.

WONTFIX, this is *by design*.

> 2. self.filtered_manage_roles then limits the options of what can be
> shown, which might end up being nothing. But, because the method is only
> protected by 'Authenticated', no chance is given to specify other user
> credentials (say, from a user folder higher up in the tree) which might
> be able to see something.

NOTABUG. *Nothing* in Zope behaves as you describe. Once you are authenticated, your identity is fixed for the duration of the request.

> 3. There's a bare try/except which masks errors. From what I can see, it
> should ONLY catch IndexError's.

SHOULDFIX. This part should be fixed by removing the 'try:...except:' altogether. If the list returned by 'filtered_manage_options' is empty, then raise Unauthorized.

> 4. The "raise TypeError" could do with some explanation.

NOTABUG. That check avoids a potential recursion loop.

> 5. The Unauthorized could raise a more helpful message "You are not
> authorized to view an of this object's management itnerface"

Why expose more information? Unauthorized says, "You tried to do something you aren't allowed; please authenticate as someone else", which is all we want.