[Zope-dev] PAS CookieAuthHelper and insufficient privileges
Laurence Rowe
l at lrowe.co.uk
Mon Oct 11 20:21:07 EDT 2010
I'm currently implementing single sign on across Plone sites but have
run into a bit of an issue with the CookieAuthHelper.
Unauthorized accesses are redirected to its login_path attribute even
when a user is already logged in. Plone works around this with a
require_login script that traverses to insufficient_privileges (rather
than login_form) when the user is not anonymous.
http://dev.plone.org/plone/browser/Plone/trunk/Products/CMFPlone/skins/plone_login/require_login.py
I'd like to avoid having two redirects (one to require_login and then
one to the remote login page).
One option (as suggested in require_login.py) would be to have
CookieAuthHelper traverse rather than redirect to the login_path so
that sites could override the behaviour, though they would then
presumably need to duplicate the functionality currently in
CookieAuthHelper.unauthorized (which I must admit to only barely
understanding...)
http://zope3.pov.lt/trac/browser/Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/CookieAuthHelper.py
Instead, it would seem to make sense to move this functionality login
/ insufficient privileges functionality into the CookieAuthHelp
itself. I could add an insufficient_privs_path and redirect there
instead of login_path when a user is already authorized.
Yet another option would be to let logged in unauthorized to percolate
up and implement that page with an error view.
Any opinions? I'm leaning towards adding an insufficient_privs_path as
it seems simplest and least invasive. (When not set it would just use
login_path as normal).
Laurence
More information about the Zope-Dev
mailing list