Re: Raising 403 within traversal when the Forbidden context is already used to show the login page

Thu, 09 Feb 2012 11:49:18 -0800 

Pyramid internally raises a HTTPForbidden... this is the safest thing for
Pyramid to do, and requires the fewest assumptions about what your app
actually wants. From that point, you can catch the HTTPForbidden in an
exception view, determine what you actually want to do, and return that.

For example:

@view_config(context=HTTPForbidden, renderer='unauthorized.mako')
def forbidden_view(request)
    if authenticated_userid(request) is None:
        # user is not logged in, let's redirect them to the login view
        # or we could return a HTTPUnauthorized here or something if we knew
        # what information to send in the www-authenticate header required
by a 401
        return HTTPFound(request.route_url('login'))

    # user is logged in and does not have access to the resource
    # so let's render the unauthorized template and set the response code
to be 403
    # because they really are forbidden
    request.response.status = 403
    return {}

HTTPUnauthorized is supposed to return a way for the user to authenticated,
so it's not generally applicable. For example you would use it in a "http
basic" policy to get the browser to display a challenge.

On Thu, Feb 9, 2012 at 12:40 PM, Mike Orr <[email protected]> wrote:

> On Thu, Feb 9, 2012 at 8:36 AM, Yap Sok Ann <[email protected]> wrote:
> > That's what I thought too, but it seems like the "standard" for
> > pyramid is to show the login view for 403:
> >
> >
> http://docs.pylonsproject.org/projects/pyramid/en/latest/tutorials/wiki/authorization.html#add-login-and-logout-views
>
> This appears to be a mistake on Pyramid's part. Wouldn't it be better
> to fix Pyramid to use 401 HTTPUnauthorized for not-logged-in rather
> than using 403 HTTPForbidden for both cases?
>
> --
> Mike Orr <[email protected]>
>
> --
> You received this message because you are subscribed to the Google Groups
> "pylons-discuss" group.
> To post to this group, send email to [email protected].
> To unsubscribe from this group, send email to
> [email protected].
> For more options, visit this group at
> http://groups.google.com/group/pylons-discuss?hl=en.
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"pylons-discuss" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/pylons-discuss?hl=en.

Reply via email to