On 4/21/05, Chris Withers <[EMAIL PROTECTED]> wrote: > > If it's accessible by anonymous that is the same as not requiring > > authorization. > > I don't think that's the case. I have a specific requirement on the > project I'm currently working on to know who the current user is, even > if the something is anonymously accessible.
So you *allow* authorization, and use it, but you don't *require* it. > Perhaps userfolders should have the opportunity to do something as > they're traversed through to authenticate, rather than waiting until > something that requires authorisation kicks them off? Sounds reasonable. > > Nope, not IE. Yes, that is non-standard. > > Are you sure? I'm pretty sure I remember the ZMI's "logout" link working > in IE, and that relies on returning 401's... Last time I checked it didn't work. > > But they do that so that if > > you click on something that you can NOT access, you can continue > > surfing without having to log in again. Which actually is pretty > > reasonable in a way. > > ...not if they don't also provide a method to consciously drop basic > auth headers ;-) Yet Another Crappy Standard. > Well, I have to say I was really disappointed when I read the W3C specs > for response codes. They freely interchange authentication and > authorization, which are two totally different concepts :-( Right. -- Lennart Regebro, Nuxeo http://www.nuxeo.com/ CPS Content Management http://www.cps-project.org/ _______________________________________________ Zope-Coders mailing list Zope-Coders@zope.org http://mail.zope.org/mailman/listinfo/zope-coders