Happy New Year Everyone! As nobody objected until today, I will go on and do the fix on the trunk
--- U:/zope/svn_zope33/src/zope/app/exception/browser/unauthorized.py (revision 71143) +++ U:/zope/svn_zope33/src/zope/app/exception/browser/unauthorized.py (working copy) @@ -29,6 +29,11 @@ # Set the error status to 403 (Forbidden) in the case when we don't # challenge the user self.request.response.setStatus(403) + + self.request.response.setHeader('Expires', 'Mon, 26 Jul 1997 05:00:00 GMT') + self.request.response.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate') + self.request.response.setHeader('Pragma', 'no-cache') + principal = self.request.principal auth = zapi.principals() auth.unauthorized(principal.id, self.request) and backport it also to 3.3 and 3.2 Wednesday, December 20, 2006, 3:05:10 PM, you wrote: > On Wed, Dec 20, 2006 at 02:36:59PM +0100, Adam Groszer wrote: >> Hello, >> >> Just happened the following: >> >> zope3 >> server >> | >> | >> squid proxy >> / \ >> / \ >> / \ >> userA userB >> >> Both my users are sitting behind a squid proxy/firewall. >> That is a usual out-of-the-box SuSe linux firewall/proxy config. >> Each request goes through the squid proxy. >> userA does NOT have permission to http://zope3/ap_test/folder1. >> userB has permission to everything, including http://zope3/ap_test/folder1, >> he might even be a zope.manager. >> >> 1. userA accesses http://zope3/ap_test/folder1 >> 2. userA gets the usual "Unauthorized, You are not authorized" message >> 3. userB accesses http://zope3/ap_test/folder1 >> 4. BANG!, userB gets also the "Unauthorized, You are not authorized" message >> >> Investigating further, the request at 3. does not get to the zope3 >> server. It got served by squid. >> >> Adding the "no-store, no-cache, must-revalidate" etc. headers to the >> Unauthorized page solves the problem. >> >> Any opinions about that? Is it my mistake, a squid bug, a Z3 bug? > Er, more like a squid feature, see negative_ttl. Not sure what the best > way is to get around this though, "no-cache" is probably reasonable. -- Best regards, Adam mailto:[EMAIL PROTECTED] -- Quote of the day: Avoid reality at all costs. _______________________________________________ Zope3-dev mailing list Zope3-dev@zope.org Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com