[Zope-dev] Unauthorized handling in Zope2

yuppie y.2010 at wcm-solutions.de
Tue Apr 20 10:01:30 EDT 2010


Hi!


Wichert Akkerman wrote:
> On 4/20/10 15:17 , yuppie wrote:
>> Wichert Akkerman wrote:
>>> I added an extra change (see diff below) to fix that, after which things
>>> seemed to work.
>>
>> Great!
>
> Can you commit that change along with your other changes?

Yes. I'll write some more tests and commit it in time for the 2.12.5 
release. Thanks for catching this issue early enough!

>> Re-raising the exceptions makes sure the post-processing in
>> HTTPResponse.exception is called. That is also expected by
>> CookieCrumbler and PAS.
>
> The authentication dance between the publisher, request, PAS and
> CookieCrumbler really is a bit contrived :(

An other advantage of the re-raising pattern is the fact that you can 
easily change the response type by raising a different exception inside 
the view. I plan to use that for replacing the nasty unauth redirect 
code in CookieCrumbler. The exception view will raise Redirect or 
Forbidden if you are already logged in.

>> A better fix would be to store the rendered exception value in the
>> response object instead of the exception object. That way we could
>> re-raise *all* exceptions as it was done in older Zope versions.
>>
>> But this would have been a bigger refactoring with more risks to break
>> something else.
>
> Perhaps something for 2.13 :)

Yes. Perhaps ;)


Cheers,

	Yuppie


More information about the Zope-Dev mailing list