Re: [Zope-dev] Itemtraverser and Unauthorized vs Views
Am 04.07.2008 um 07:37 schrieb Christian Theune:
On Fri, 2008-07-04 at 02:10 +0300, Marius Gedminas wrote:
On Tue, Jun 24, 2008 at 01:39:28PM +0200, Christian Theune wrote:
[...]
I can explicitly make the URL use '@@viewname' and bypass the
item traverser,
but I don't like the @@s in the URL. I wonder whether adding
Unauthorized to
the KeyError would be reasonable.
I think not. At least it should not convert Unauthorized into
NotFound.
If I can access a location (say, http://localhost/container/item)
when
I'm logged in, then if I try that as an anonymous user, I should
get an
authentication dialog rather than a 404 Not Found page.
Actually, in my case its, when logged in I can use:
http://localhost/container/view
When not logged in, I get an Unauthorized, although when accessing
http://localhost/container/@@view
I can go ahead as anonymous.
IMHO the code merging the namespaces should be more careful about
that.
IMHO the ItemTraverser should not lookup the view by itself, but
delegate to the 'view' traverser, somethind like:
def publishTraverse(self, request, name):
See zope.publisher.interfaces.IPublishTraverse
try:
return self.context[name]
except KeyError:
try:
return namespaceLookup('view', name, self.context,
request)
except TraversalError:
pass
raise NotFound(self.context, name, request)
Regards
Markus Kemmerling
___
Zope-Dev maillist - Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Itemtraverser and Unauthorized vs Views
On Tue, Jun 24, 2008 at 01:39:28PM +0200, Christian Theune wrote: I have a problem with the standard item traverser provided by zope.app.container: The item traverser looks up a object using the given name and a __getitem__ call on the context. If this raises a KeyError it tries to look up a view given the same name. If the user does not have the permission to access __getitem__ it will let the Unauthorized exception pass through. I my situation I have two views for which the user doesn't really need the permission to access __getitem__ on the container but they can't access the views because the __getitem__ call will be tried anyway. I can explicitly make the URL use '@@viewname' and bypass the item traverser, but I don't like the @@s in the URL. I wonder whether adding Unauthorized to the KeyError would be reasonable. I think not. At least it should not convert Unauthorized into NotFound. If I can access a location (say, http://localhost/container/item) when I'm logged in, then if I try that as an anonymous user, I should get an authentication dialog rather than a 404 Not Found page. Marius Gedminas -- If nothing else helps, read the documentation. signature.asc Description: Digital signature ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Itemtraverser and Unauthorized vs Views
On Fri, 2008-07-04 at 02:10 +0300, Marius Gedminas wrote: On Tue, Jun 24, 2008 at 01:39:28PM +0200, Christian Theune wrote: [...] I can explicitly make the URL use '@@viewname' and bypass the item traverser, but I don't like the @@s in the URL. I wonder whether adding Unauthorized to the KeyError would be reasonable. I think not. At least it should not convert Unauthorized into NotFound. If I can access a location (say, http://localhost/container/item) when I'm logged in, then if I try that as an anonymous user, I should get an authentication dialog rather than a 404 Not Found page. Actually, in my case its, when logged in I can use: http://localhost/container/view When not logged in, I get an Unauthorized, although when accessing http://localhost/container/@@view I can go ahead as anonymous. IMHO the code merging the namespaces should be more careful about that. Christian -- Christian Theune · [EMAIL PROTECTED] gocept gmbh co. kg · forsterstraße 29 · 06112 halle (saale) · germany http://gocept.com · tel +49 345 1229889 7 · fax +49 345 1229889 1 Zope and Plone consulting and development signature.asc Description: This is a digitally signed message part ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Itemtraverser and Unauthorized vs Views
Hi, I have a problem with the standard item traverser provided by zope.app.container: The item traverser looks up a object using the given name and a __getitem__ call on the context. If this raises a KeyError it tries to look up a view given the same name. If the user does not have the permission to access __getitem__ it will let the Unauthorized exception pass through. I my situation I have two views for which the user doesn't really need the permission to access __getitem__ on the container but they can't access the views because the __getitem__ call will be tried anyway. I can explicitly make the URL use '@@viewname' and bypass the item traverser, but I don't like the @@s in the URL. I wonder whether adding Unauthorized to the KeyError would be reasonable. Christian -- Christian Theune · [EMAIL PROTECTED] gocept gmbh co. kg · forsterstraße 29 · 06112 halle (saale) · germany http://gocept.com · tel +49 345 1229889 7 · fax +49 345 1229889 1 Zope and Plone consulting and development ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
