Current situation:

- By default Zope publishes Unauthorized exceptions as "HTTP/1.1 401 
Unauthorized" responses including a basic authentication challenge.

- If the user is not logged in, CMF converts Unauthorized exceptions 
into redirects. The redirect sends them to the login form and has a 
"came_from=" in the query string.

- If the user is already logged in, the default Zope behavior is used. 
Or the request is redirected to the unauth_page if specified. I don't 
know if anybody is using the unauth_page feature. I think a good default 
behavior would be to return "HTTP/1.1 403 Forbidden" responses for 
authenticated users without enough privileges.

- The Unauthorized handling is currently done by the CookieCrumbler. It 
hooks into the error handling process by overriding some methods of the 
HTTPResponse objects. Internal Zope changes did partially break this in 
Zope < 2.12.5, there is no guarantee the hooks will work in future.


Meanwhile a much better hook exists for exception handling: Exception 
views. I propose to move most of the Unauthorized handling to a new 
exception view in the ICMFDefaultSkin layer.

All Unauthorized exceptions inside a CMF site are converted by the view. 
Into a Redirect exception for anonymous users and into a Forbidden 
exception for authenticated users.

The redirect target is looked up in the 'user/login' Action, making 
CookieCrumbler's auto_login_page setting obsolete. The unauth_page 
setting will no longer be supported.

CookieCrumbler and therefore CMFCore will loose the redirect feature.

If there are no objections, I'll check in that change on CMF trunk.


Zope-CMF maillist  -  Zope-CMF@zope.org

See https://bugs.launchpad.net/zope-cmf/ for bug reports and feature requests

Reply via email to