Lennart Regebro wrote:
Dieter Maurer wrote:
Lennart Regebro wrote at 2004-9-2 12:38 +0200:
... Are there any other problems with NOT raising an exception in unathorized(). Becuase if there is, we probably limit the possible challenge responses to a redirect, and then this change makes no difference.
If the traversal made any changes to persistent state, then these changes are committed rather than aborted.
Usually, traversal should not change the persistent state -- but...
Would the transaction.abort() addition suggested by Tino be enough to solve that?
Lennart, I am worried that there may be third-party application code which relies on 'validate' to raise an exception. Returning the login form directly is not really a big win over a redirect; among other things, it messes up cacheability, because the URL no longer corresponds to the "real" content. Tres. -- =============================================================== Tres Seaver tseaver@zope.com Zope Corporation "Zope Dealers" http://www.zope.com