-----BEGIN PGP SIGNED MESSAGE-----
Nathan Van Gheem wrote:
>> Can we clarify this some more?
>> The "correct" behavior for the application to return a "Forbidden" error
> response (HTTP response code 403) for authenticated users, and only
> raise an "Unauthorized" (401) for anonymous users: the 401 response is
> misnamed, but the semantics defined in RFC 2615 clearly require a
> fresh challenge.
> A fresh challenge only for the 401 Unauthorized not for the 403
> Forbidden which should be used right? At least is how I understand it
> and according
> to the doc you just provided and a definition of 401 and 403 status codes,
> it seems to hold up. So repoze.who should not be logging a person out when
> they are not authorized a resource like it is currently and it should return
> 403 instead of 401 when the user does not have permission to an area. Is
> that right?
> Forgive me if you feel I'm being difficult, but I just don't like this
> behavior. It seems to go completely against what a user will expect. I've
> never had a web app log me out because I tried to access something that I
> didn't have authorization to access.
> If this functionality doesn't felt belonged to repoze.who, it'd be nice to
> at least be able to manipulate who enough with plugins as opposed to monkey
> patching it to provide the functionality.
The repoze.who response processing is only doing what your app is
signalling it to do be returning a 401. I'm suggesting that you change
your application, such that it doesn't trigger a 401 when you don't want
to challenge the user. Instead, either return a 403 or a custom form
explaining why the user is not allowed to do what the previous request
If you *really* want the challenge not to destroy the existing
credentials, then derive a new plugin, e.g. derived from
InsecureCookiePlugin, and have its 'forget' method return an empty list.
You will then have to do the work yourself to issue the correct headers
when the user signals that she wants to log out.
Tres Seaver +1 540-429-0999 tsea...@palladion.com
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
Repoze-dev mailing list