[Zope-CMF] [dev] Unauthorized handling - a proposal
Tres Seaver
tseaver at palladion.com
Tue Apr 20 12:40:52 EDT 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
yuppie wrote:
> Hi!
>
>
> Current situation:
>
> - By default Zope publishes Unauthorized exceptions as "HTTP/1.1 401
> Unauthorized" responses including a basic authentication challenge.
>
> - If the user is not logged in, CMF converts Unauthorized exceptions
> into redirects. The redirect sends them to the login form and has a
> "came_from=" in the query string.
>
> - If the user is already logged in, the default Zope behavior is used.
> Or the request is redirected to the unauth_page if specified. I don't
> know if anybody is using the unauth_page feature. I think a good default
> behavior would be to return "HTTP/1.1 403 Forbidden" responses for
> authenticated users without enough privileges.
>
> - The Unauthorized handling is currently done by the CookieCrumbler. It
> hooks into the error handling process by overriding some methods of the
> HTTPResponse objects. Internal Zope changes did partially break this in
> Zope < 2.12.5, there is no guarantee the hooks will work in future.
>
>
> Proposal:
>
> Meanwhile a much better hook exists for exception handling: Exception
> views. I propose to move most of the Unauthorized handling to a new
> exception view in the ICMFDefaultSkin layer.
>
> All Unauthorized exceptions inside a CMF site are converted by the view.
> Into a Redirect exception for anonymous users and into a Forbidden
> exception for authenticated users.
>
> The redirect target is looked up in the 'user/login' Action, making
> CookieCrumbler's auto_login_page setting obsolete. The unauth_page
> setting will no longer be supported.
>
> CookieCrumbler and therefore CMFCore will loose the redirect feature.
>
>
> If there are no objections, I'll check in that change on CMF trunk.
+1.
Tres.
- --
===================================================================
Tres Seaver +1 540-429-0999 tseaver at palladion.com
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkvN2RQACgkQ+gerLs4ltQ58FwCdHh/mOORuBz8pvTmGr2cJtHba
NM4AoLeUafYGzUko6uM2uRhqQ0SzY5P4
=DHRR
-----END PGP SIGNATURE-----
More information about the Zope-CMF
mailing list