I'm pretty sure you need to be using 401 for pages that require authorisation, and not 403.
Maybe try to untangle your approach so that the login page is never throwing 401 (or 403). The protected resource should raise the exception and your app design handles it by issuing a redirect to login. The login should always be publicly accessible, regardless of whether you tell the user they are already logged in or not. URIs that represent content should not also serve login forms. Or did I miss something? :) > 10.4.4 403 Forbidden > > The server understood the request, but is refusing to fulfill it. > Authorization will not help and the request SHOULD NOT be repeated. If the > request method was not HEAD and the server wishes to make public why the > request has not been fulfilled, it SHOULD describe the reason for the refusal > in the entity. If the server does not wish to make this information available > to the client, the status code 404 (Not Found) can be used instead. > On 9 Feb 2012, at 09:39, Yap Sok Ann <[email protected]> wrote: > HTTPForbidden is exactly what I throw in the traversal code, which > then get mapped to the login view. If I throw HTTPForbidden again in > the login view, it will result in 500 Internal Server Error, thus I > manually create a 403 response and return that instead. > > On Feb 9, 9:13 am, Jonathan Vanasco <[email protected]> wrote: >> i don't use traversal... but can't you just use an httpexception? >> >> http://readthedocs.org/docs/pyramid/en/1.0-branch/api/httpexceptions.... >> >> class HTTPForbidden(detail=None, headers=None, comment=None, >> body_template=None, **kw) >> subclass of HTTPClientError >> This indicates that the server understood the request, but is >> refusing to fulfill it. >> code: 403, title: Forbidden >> >> from pyramid import httpexceptions >> .... >> return httpexceptions.HTTPForbidden() > > -- > You received this message because you are subscribed to the Google Groups > "pylons-discuss" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/pylons-discuss?hl=en. > -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en.
