>
> Can we clarify this some more?
> The "correct" behavior for the application to return a "Forbidden" error
response (HTTP response code 403) for authenticated users, and only
raise an "Unauthorized" (401) for anonymous users: the 401 response is
misnamed, but the semantics defined in RFC 2615[1] clearly require a
fresh challenge.
A fresh challenge only for the 401 Unauthorized not for the 403
Forbidden which should be used right? At least is how I understand it
and according
to the doc you just provided and a definition of 401 and 403 status codes,
it seems to hold up. So repoze.who should not be logging a person out when
they are not authorized a resource like it is currently and it should return
403 instead of 401 when the user does not have permission to an area. Is
that right?
Forgive me if you feel I'm being difficult, but I just don't like this
behavior. It seems to go completely against what a user will expect. I've
never had a web app log me out because I tried to access something that I
didn't have authorization to access.
If this functionality doesn't felt belonged to repoze.who, it'd be nice to
at least be able to manipulate who enough with plugins as opposed to monkey
patching it to provide the functionality.
Thanks,
Nathan
10.4.4 403 Forbidden
>
> The server understood the request, but is refusing to fulfill it.
> Authorization will not help and the request SHOULD NOT be repeated.
> If the request method was not HEAD and the server wishes to make
> public why the request has not been fulfilled, it SHOULD describe the
> reason for the refusal in the entity. If the server does not wish to
> make this information available to the client, the status code 404
> (Not Found) can be used instead.
>
>
2009/7/5 Tres Seaver <tsea...@palladion.com>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Nathan Van Gheem wrote:
> > Hello everyone,
> > It seems odd to me that repoze.who would log someone out who is not
> > authorized to a certain part of a web site. Unless I'm doing something
> > wrong it seems like there is no good way around it either.
> >
> > The only solution I could find is creating my own redirecting form plugin
> > that adds a config option for an unauthorized url--so the app can tell
> the
> > user they don't belong in this area of the site. Then I had to remove
> lines
> > 253 - 259 of middleware.py of repoze.who also,
> >
> >> if identifier:
> >>
> >> forget_headers = identifier.forget(environ, identity)
> >>
> >> if forget_headers is None:
> >>
> >> forget_headers = []
> >>
> >> else:
> >>
> >> logger and logger.info('forgetting via headers from %s:
> >>> %s'
> >> % (identifier, forget_headers))
> >>
> >>
> >
> > The custom redirecting form plugin looks like so,
> >
> >> class MyRedirectingFormPlugin(RedirectingFormPlugin):
> >>
> >>
> >>> implements(IChallenger, IIdentifier)
> >>
> >>> def __init__(self, login_form_url, login_handler_path,
> >>> logout_handler_path,
> >> rememberer_name, unauthorized_url,
> reason_param='reason'):
> >>
> >> super(MyRedirectingFormPlugin, self).__init__(
> >>
> >> login_form_url,
> >>
> >> login_handler_path,
> >>
> >> logout_handler_path,
> >>
> >> rememberer_name,
> >>
> >> reason_param='reason'
> >>
> >> )
> >>
> >> self.unauthorized_url = unauthorized_url
> >>
> >>
> >>
> >>
> >>> # IChallenger
> >> def challenge(self, environ, status, app_headers, forget_headers):
> >>
> >> reason = header_value(app_headers,
> >>> 'X-Authorization-Failure-Reason')
> >>
> >>
> >> if environ.get('repoze.who.identity', False):
> >>
> >> url_parts = list(urlparse.urlparse(self.unauthorized_url))
> >>
> >> else:
> >>
> >> url_parts = list(urlparse.urlparse(self.login_form_url))
> >>
> >>
> >>
> >> query = url_parts[4]
> >>
> >> query_elements = cgi.parse_qs(query)
> >>
> >> came_from = environ.get('came_from', construct_url(environ))
> >>
> >> query_elements['came_from'] = came_from
> >>
> >> if reason:
> >>
> >> query_elements[self.reason_param] = reason
> >>
> >> url_parts[4] = urllib.urlencode(query_elements, doseq=True)
> >>
> >> login_form_url = urlparse.urlunparse(url_parts)
> >>
> >> headers = [ ('Location', login_form_url) ]
> >>
> >> cookies = [(h,v) for (h,v) in app_headers if h.lower() ==
> >>> 'set-cookie']
> >> headers = headers + forget_headers + cookies
> >>
> >> return HTTPFound(headers=headers)
> >>
> >>
> >
> > Doesn't seem to make sense to log a person out just because they are
> > unauthorized does it?
> >
> > I'm really not sure and a little new to all this stuff so please tell me
> if
> > there is a better way to do this sort of thing.
>
> The "correct" behavior for the application to return a "Forbidden" error
> response (HTTP response code 403) for authenticated users, and only
> raise an "Unauthorized" (401) for anonymous users: the 401 response is
> misnamed, but the semantics defined in RFC 2615[1] clearly require a
> fresh challenge.
>
>
> [1] See section 10.4.2 and 10.4.4 of http://www.ietf.org/rfc/rfc2616.txt
>
> Tres.
> - --
> ===================================================================
> Tres Seaver +1 540-429-0999 tsea...@palladion.com
> Palladion Software "Excellence by Design" http://palladion.com
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFKUOwl+gerLs4ltQ4RArnxAJsFbw+yebq0gc270sLuaK1pTFfEJQCgkdE/
> GB+DLpsoK7i601D5okeDzwM=
> =rX2o
> -----END PGP SIGNATURE-----
>
_______________________________________________
Repoze-dev mailing list
Repoze-dev@lists.repoze.org
http://lists.repoze.org/listinfo/repoze-dev
