[Zope-dev] Re: [Zope-Coders] Unauthorized results in 401,
shouldn't it result in 403?
Chris Withers
chris at simplistix.co.uk
Wed Apr 20 11:20:26 EDT 2005
Sidnei da Silva wrote:
> | Now, 5.2 is where I have the problem, since raising unauthorized
> | anywhere in Zope traditionally pops up a basic auth box rather than
> | returning standard_error_message with a 403 response which, as time goes
> | by, I'm starting to think is what should really happen.
>
> Yes! That too.
>
> | 1. Should things change to work as I describe?
>
> I would think so.
OK, but I would prefer more opinions on this, so moving to
zope-dev at zope.org...
> | 2. Is the above behaviour pluggable at all?
>
> Not at all.
Should it be? Can it be without impacting on performance?
> | 3. How does PAS handle failover from one authentication plugin to the next?
>
> /me leaves slot for PAS experts to fill
...
> | 4. What kicks off the authentication process in Zope? Something being
> | anonymously viewable or credentials being found in the request?
>
> I've been looking at BaseRequest.traverse(). Basically, it tries to
> validate REQUEST._auth,
What does? And what does validate mean in this context?
> being it set or not *wink* (when using
Right, and that was the source of the other thread?
> CookieCrumbler it's this variable is set from the cookie value) and
> that may result in a valid user or 'Anonymous User'.
Yeah, but how does CookieCrumbler stop a basic auth box being popped to
the user when things aren't authorized?
> | PS: I suspect the answer to 4 varies depending on the type of auth :-(
>
> I don't think so.
CookieCrumbler vs Everything Else: I think it does...
Chris
--
Simplistix - Content Management, Zope & Python Consulting
- http://www.simplistix.co.uk
More information about the Zope-Dev
mailing list