[Zope-dev] Re: [Zope-Coders] Unauthorized results in 401, shouldn't it result in 403?

Sidnei da Silva sidnei at awkly.org
Wed Apr 20 11:45:06 EDT 2005


On Wed, Apr 20, 2005 at 04:20:26PM +0100, Chris Withers wrote:
| >| 2. Is the above behaviour pluggable at all?
| >
| >Not at all.
| 
| Should it be? Can it be without impacting on performance?

I don't think so. I would expect there's only one sane way to do it.

| >| 4. What kicks off the authentication process in Zope? Something being 
| >| anonymously viewable or credentials being found in the request?
| >
| >I've been looking at BaseRequest.traverse(). Basically, it tries to
| >validate REQUEST._auth, 
| 
| What does? And what does validate mean in this context?

Did you read what I type? It's in BaseRequest.traverse(). Read the
source, I can't summarize 100 lines of python in one sentence.

| >being it set or not *wink* (when using
| 
| Right, and that was the source of the other thread?

The source of the other thread is that falling back to unauthorized
smells wrong, but I can see at least one case where changing this
might break existing apps.

| >CookieCrumbler it's this variable is set from the cookie value) and
| >that may result in a valid user or 'Anonymous User'.
| 
| Yeah, but how does CookieCrumbler stop a basic auth box being popped to 
| the user when things aren't authorized?

Basically it monkeypatches RESPONSE.unauthorized() and
RESPONSE._unauthorized().

        if not req.get('disable_cookie_login__', 0):
            if attempt == ATTEMPT_LOGIN or attempt == ATTEMPT_NONE \
                   or attempt == ATTEMPT_RESUME:
                # Modify the "unauthorized" response.                              
                req._hold(ResponseCleanup(resp))
                resp.unauthorized = self.unauthorized
                resp._unauthorized = self._unauthorized

-- 
Sidnei da Silva <sidnei at awkly.org>
http://awkly.org - dreamcatching :: making your dreams come true
http://www.enfoldsystems.com
http://plone.org/about/team#dreamcatcher

Mais sujo que pau de galinheiro.


More information about the Zope-Dev mailing list