Sorry I should have added, but resisted as I felt my message was long enough..
Just because Pyramid (or your app) raises an http exception doesn't mean you have to return that view. As Michael describes you can intercept and downgrade the exception as you deem appropriate. The reason your code doesn't work is not because of Pyramid raising 403 or 401 exception, it's because you have a tangle (which was initially resulting in the server error loop). You never actually want to serve a 401 view because you'll always be redirecting with HTTPFound to login as Michael's example and the tutorial you're following shows (unless your user is not human and knows how to authenticate and retry). The 403 view (NOT the login page) is what you serve when you have an authenticated user who doesn't have the necessary permission; you might like to say 'you don't have permission to see this' rather than just 'forbidden', because forbidden doesn't really make sense in a web-app (i.e. if something is totally forbidden then don't serve it!). I might have come at it differently raising 401 initially (all we can say is 'auth required' because we don't know who the user is) and then issue 403 if the authenticated user lacked a particular permission, but then I probably haven't spent as much time wrestling with this matter - I would be intrigued to learn of the reasoning if you have the time Michael? :) I always seem to find the meaning of http status code 302 rather odd in the auth context because it says "The requested resource resides temporarily under a different URI", which is not accurate but seems to be the best fit. On 9 Feb 2012, at 20:48, Michael Merickel <[email protected]> wrote: > Pyramid internally raises a HTTPForbidden... this is the safest thing for > Pyramid to do, and requires the fewest assumptions about what your app > actually wants. From that point, you can catch the HTTPForbidden in an > exception view, determine what you actually want to do, and return that. > > For example: > > @view_config(context=HTTPForbidden, renderer='unauthorized.mako') > def forbidden_view(request) > if authenticated_userid(request) is None: > # user is not logged in, let's redirect them to the login view > # or we could return a HTTPUnauthorized here or something if we knew > # what information to send in the www-authenticate header required by > a 401 > return HTTPFound(request.route_url('login')) > > # user is logged in and does not have access to the resource > # so let's render the unauthorized template and set the response code to > be 403 > # because they really are forbidden > request.response.status = 403 > return {} > > HTTPUnauthorized is supposed to return a way for the user to authenticated, > so it's not generally applicable. For example you would use it in a "http > basic" policy to get the browser to display a challenge. > > On Thu, Feb 9, 2012 at 12:40 PM, Mike Orr <[email protected]> wrote: > On Thu, Feb 9, 2012 at 8:36 AM, Yap Sok Ann <[email protected]> wrote: > > That's what I thought too, but it seems like the "standard" for > > pyramid is to show the login view for 403: > > > > http://docs.pylonsproject.org/projects/pyramid/en/latest/tutorials/wiki/authorization.html#add-login-and-logout-views > > This appears to be a mistake on Pyramid's part. Wouldn't it be better > to fix Pyramid to use 401 HTTPUnauthorized for not-logged-in rather > than using 403 HTTPForbidden for both cases? > > -- > Mike Orr <[email protected]> > > -- > You received this message because you are subscribed to the Google Groups > "pylons-discuss" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/pylons-discuss?hl=en. > > > -- > You received this message because you are subscribed to the Google Groups > "pylons-discuss" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/pylons-discuss?hl=en. -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en.
