Re: [Zope-dev] Itemtraverser and Unauthorized vs Views
Am 04.07.2008 um 07:37 schrieb Christian Theune: On Fri, 2008-07-04 at 02:10 +0300, Marius Gedminas wrote: On Tue, Jun 24, 2008 at 01:39:28PM +0200, Christian Theune wrote: [...] I can explicitly make the URL use '@@viewname' and bypass the item traverser, but I don't like the @@s in the URL. I wonder whether adding Unauthorized to the KeyError would be reasonable. I think not. At least it should not convert Unauthorized into NotFound. If I can access a location (say, http://localhost/container/item) when I'm logged in, then if I try that as an anonymous user, I should get an authentication dialog rather than a 404 Not Found page. Actually, in my case its, when logged in I can use: http://localhost/container/view When not logged in, I get an Unauthorized, although when accessing http://localhost/container/@@view I can go ahead as anonymous. IMHO the code merging the namespaces should be more careful about that. IMHO the ItemTraverser should not lookup the view by itself, but delegate to the 'view' traverser, somethind like: def publishTraverse(self, request, name): See zope.publisher.interfaces.IPublishTraverse try: return self.context[name] except KeyError: try: return namespaceLookup('view', name, self.context, request) except TraversalError: pass raise NotFound(self.context, name, request) Regards Markus Kemmerling ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Itemtraverser and Unauthorized vs Views
On Tue, Jun 24, 2008 at 01:39:28PM +0200, Christian Theune wrote: I have a problem with the standard item traverser provided by zope.app.container: The item traverser looks up a object using the given name and a __getitem__ call on the context. If this raises a KeyError it tries to look up a view given the same name. If the user does not have the permission to access __getitem__ it will let the Unauthorized exception pass through. I my situation I have two views for which the user doesn't really need the permission to access __getitem__ on the container but they can't access the views because the __getitem__ call will be tried anyway. I can explicitly make the URL use '@@viewname' and bypass the item traverser, but I don't like the @@s in the URL. I wonder whether adding Unauthorized to the KeyError would be reasonable. I think not. At least it should not convert Unauthorized into NotFound. If I can access a location (say, http://localhost/container/item) when I'm logged in, then if I try that as an anonymous user, I should get an authentication dialog rather than a 404 Not Found page. Marius Gedminas -- If nothing else helps, read the documentation. signature.asc Description: Digital signature ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Itemtraverser and Unauthorized vs Views
On Fri, 2008-07-04 at 02:10 +0300, Marius Gedminas wrote: On Tue, Jun 24, 2008 at 01:39:28PM +0200, Christian Theune wrote: [...] I can explicitly make the URL use '@@viewname' and bypass the item traverser, but I don't like the @@s in the URL. I wonder whether adding Unauthorized to the KeyError would be reasonable. I think not. At least it should not convert Unauthorized into NotFound. If I can access a location (say, http://localhost/container/item) when I'm logged in, then if I try that as an anonymous user, I should get an authentication dialog rather than a 404 Not Found page. Actually, in my case its, when logged in I can use: http://localhost/container/view When not logged in, I get an Unauthorized, although when accessing http://localhost/container/@@view I can go ahead as anonymous. IMHO the code merging the namespaces should be more careful about that. Christian -- Christian Theune · [EMAIL PROTECTED] gocept gmbh co. kg · forsterstraße 29 · 06112 halle (saale) · germany http://gocept.com · tel +49 345 1229889 7 · fax +49 345 1229889 1 Zope and Plone consulting and development signature.asc Description: This is a digitally signed message part ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Itemtraverser and Unauthorized vs Views
Hi, I have a problem with the standard item traverser provided by zope.app.container: The item traverser looks up a object using the given name and a __getitem__ call on the context. If this raises a KeyError it tries to look up a view given the same name. If the user does not have the permission to access __getitem__ it will let the Unauthorized exception pass through. I my situation I have two views for which the user doesn't really need the permission to access __getitem__ on the container but they can't access the views because the __getitem__ call will be tried anyway. I can explicitly make the URL use '@@viewname' and bypass the item traverser, but I don't like the @@s in the URL. I wonder whether adding Unauthorized to the KeyError would be reasonable. Christian -- Christian Theune · [EMAIL PROTECTED] gocept gmbh co. kg · forsterstraße 29 · 06112 halle (saale) · germany http://gocept.com · tel +49 345 1229889 7 · fax +49 345 1229889 1 Zope and Plone consulting and development ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )