Problem:
The view for the unauthorized exception (zope/app/exception/browser/
unauthorized.py/.pt) gets the authentication utility to issue a
challenge, and then draws a page. Drawing the page is silly in some
cases, and problematic in others.
In particular, for session credentials, the user is redirected to
another page because she received an Unauthorized exception on this
one: there is no need to draw an unviewed page for the redirect
request (and I think we don't care about browsers that can't handle a
redirect request).
Moreover, if the metal macro page that wraps the drawn page itself
raises an unauthorized error, the redirect can be overridden.
Solution:
Make the unauthorized view smarter: call the authentication utility's
unauthorized method before rendering the page, and if the request
then has a 303 status, don't bother to render the page. This is
simply the default view, so if someone really cares about a browser
that doesn't support redirects, they can register one more like the
one we have now.
Risks:
Requires more developer work to support browsers that don't support
redirects.
Thoughts?
Gary
___
Zope3-dev mailing list
Zope3-dev@zope.org
Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com
