[Zope-CMF] [dev] Unauthorized handling - a proposal

yuppie y.2010 at wcm-solutions.de
Tue Apr 20 10:21:37 EDT 2010 

Hi!


Charlie Clark wrote:
> Am 20.04.2010, 14:19 Uhr, schrieb yuppie<y.2010 at wcm-solutions.de>:
>> Charlie Clark wrote:
>>> Please add a separate folder for these views. We need to separate them
>>>    from the content ones.
>
>> Why? 'browser' is a generic name, that folder is usually used for *all*
>> browser views. Which folder names would you propose?
>
> It makes it more manageable. Anyone looking at this for the first time is
> likely to get a shock when trying to work out which views are where.
>
> I'd like to have separate folders for "content", "login" or
> "authentication", "workflow", etc.

You mean subfolders of browser? At the top level I would expect more 
than just the browser views inside folders with these names.

For now I'll keep it where it is. If we agree on a new structure, things 
can be easily moved around.

>>> Using a view means that there is a hardcoded relation between the login
>>> form and the login cookies.
>
>> That doesn't have to be hardcoded. We could look up the cookie settings
>> in the CookieCrumbler.
>
> Would there be any advantage in this? CookieCrumbler doesn't seem to need
> them itself if the authentication is handled in a view.

For now I plan to move less out of CookieCrumbler than you seem to expect.

>>>        @deprecate
>>>        def getCookieMethod(name, default=None):
>>>            """ Allow overridable cookie set/expiration methods."""
>>>            return getattr(name, default)
>
>> Why deprecated?
>
> I'm assuming that this related to Methods that could be stored within the
> CookieCrumbler when it was still a folder.

Could be. +1 if you are sure it is useless.

>>>        @deprecate
>>>        def modifyRequest(req, resp):
>>>            """Copies cookie-supplied credentials to the basic auth
>>> fields.
>>>
>>>            Returns a flag indicating what the user is trying to do with
>>>            cookies: ATTEMPT_NONE, ATTEMPT_LOGIN, or ATTEMPT_RESUME.  If
>>>            cookie login is disabled for this request, raises
>>>            CookieCrumblerDisabled.
>>>            """
>> Why deprecated?
>
> I'm assuming that the login happens outside of CookieCrumbler. Please
> correct me if I'm wrong on this.

For now I just want to remove these lines from __call__:

@@ -261,12 +260,6 @@
          if req.get('disable_cookie_login__', 0):
              return

-        if (self.unauth_page or
-            attempt == ATTEMPT_LOGIN or attempt == ATTEMPT_NONE):
-            # Modify the "unauthorized" response.
-            req._hold(ResponseCleanup(resp))
-            resp.unauthorized = self.unauthorized
-            resp._unauthorized = self._unauthorized
          if attempt != ATTEMPT_NONE:
              # Trying to log in or resume a session
              if self.cache_header_value:

>>>        @deprecate
>>>        def credentialsChanged(user, name, pw):
>>>            """# XXX: this method violates the rules for tools/utilities:
>>>            # it depends on self.REQUEST """
>> Why deprecated?
>
> Look at the docstring.

But is it obsolete?

>>>        @deprecate
>>>        def logout():
>>>            """
>>>            Logs out the user and redirects to the logout page.
>>>            """
>> Why deprecated?
>
> Surely this should be handled directly by the logout form or view? If it
> is kept to do the logging out, then the signature can be changed to
> require the request to be passed in. Redirection should be handled by the
> logout page.

Right. If you write a view for that, the method might become useless.


Cheers,

	Yuppie

More information about the Zope-CMF mailing list