- By default Zope publishes Unauthorized exceptions as "HTTP/1.1 401
Unauthorized" responses including a basic authentication challenge.
- If the user is not logged in, CMF converts Unauthorized exceptions
into redirects. The redirect sends them to the login form and has a
"came_from=" in the query string.
- If the user is already logged in, the default Zope behavior is used.
Or the request is redirected to the unauth_page if specified. I don't
know if anybody is using the unauth_page feature. I think a good default
behavior would be to return "HTTP/1.1 403 Forbidden" responses for
authenticated users without enough privileges.
- The Unauthorized handling is currently done by the CookieCrumbler. It
hooks into the error handling process by overriding some methods of the
HTTPResponse objects. Internal Zope changes did partially break this in
Zope < 2.12.5, there is no guarantee the hooks will work in future.
Meanwhile a much better hook exists for exception handling: Exception
views. I propose to move most of the Unauthorized handling to a new
exception view in the ICMFDefaultSkin layer.
All Unauthorized exceptions inside a CMF site are converted by the view.
Into a Redirect exception for anonymous users and into a Forbidden
exception for authenticated users.
The redirect target is looked up in the 'user/login' Action, making
CookieCrumbler's auto_login_page setting obsolete. The unauth_page
setting will no longer be supported.
CookieCrumbler and therefore CMFCore will loose the redirect feature.
If there are no objections, I'll check in that change on CMF trunk.
Zope-CMF maillist - Zope-CMF@zope.org
See https://bugs.launchpad.net/zope-cmf/ for bug reports and feature requests