Sidnei da Silva wrote:
| Now, 5.2 is where I have the problem, since raising unauthorized | anywhere in Zope traditionally pops up a basic auth box rather than | returning standard_error_message with a 403 response which, as time goes | by, I'm starting to think is what should really happen.
Yes! That too.
| 1. Should things change to work as I describe?
I would think so.
OK, but I would prefer more opinions on this, so moving to zope-dev@zope.org...
| 2. Is the above behaviour pluggable at all?
Not at all.
Should it be? Can it be without impacting on performance?
| 3. How does PAS handle failover from one authentication plugin to the next?
/me leaves slot for PAS experts to fill
...
| 4. What kicks off the authentication process in Zope? Something being | anonymously viewable or credentials being found in the request?
I've been looking at BaseRequest.traverse(). Basically, it tries to validate REQUEST._auth,
What does? And what does validate mean in this context?
being it set or not *wink* (when using
Right, and that was the source of the other thread?
CookieCrumbler it's this variable is set from the cookie value) and that may result in a valid user or 'Anonymous User'.
Yeah, but how does CookieCrumbler stop a basic auth box being popped to the user when things aren't authorized?
| PS: I suspect the answer to 4 varies depending on the type of auth :-(
I don't think so.
CookieCrumbler vs Everything Else: I think it does... Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk