Re: [Django Code] #4354: Django misuses the HTTP 401 Unauthorized header (either requires a WWW-Authenticate header or modification to return 403 Forbidden)

Tue, 29 May 2007 19:59:14 -0700 

#4354: Django misuses the HTTP 401 Unauthorized header (either requires a WWW-
Authenticate header or modification to return 403 Forbidden)
---------------------------------+------------------------------------------
   Reporter:  [EMAIL PROTECTED]  |                Owner:  adrian        
     Status:  closed             |            Component:  Core framework
    Version:  SVN                |           Resolution:  invalid       
   Keywords:                     |                Stage:  Accepted      
  Has_patch:  0                  |           Needs_docs:  0             
Needs_tests:  0                  |   Needs_better_patch:  0             
---------------------------------+------------------------------------------
Comment (by SmileyChris):

 Correction: "Django is not actually providing the ''response''...
 
 So in summary, Apache still handles creating the response so
 
  1) we can't add anything to the response and
 
  2) if it just raises forbidden then the user will never be able to see it
 (since this handler relies on basic http auth)
 
 In IRC, mattmcc said:
 > the Modpython docs say: "A return of apache.OK means the authentication
 succeeded. A return of apache.HTTP_UNAUTHORIZED with most browser will
 bring up the password dialog box again. A return of apache.HTTP_FORBIDDEN
 will usually show the error on the browser and not bring up the password
 dialog again. HTTP_FORBIDDEN should be used when authentication succeeded,
 but the user is not permitted to access a particular URL.
 
 > He's probably half right.
 
 > The handler returns unauthorized for both checks that it does, the auth
 check and the permissions check. The modpython docs suggest using
 forbidden if the permissions check fails.
 
 My second patch in #3583 provides this alternate method.

-- 
Ticket URL: <http://code.djangoproject.com/ticket/4354#comment:7>
Django Code <http://code.djangoproject.com/>
The web framework for perfectionists with deadlines
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to