-----BEGIN PGP SIGNED MESSAGE-----
> Current situation:
> - By default Zope publishes Unauthorized exceptions as "HTTP/1.1 401
> Unauthorized" responses including a basic authentication challenge.
> - If the user is not logged in, CMF converts Unauthorized exceptions
> into redirects. The redirect sends them to the login form and has a
> "came_from=" in the query string.
> - If the user is already logged in, the default Zope behavior is used.
> Or the request is redirected to the unauth_page if specified. I don't
> know if anybody is using the unauth_page feature. I think a good default
> behavior would be to return "HTTP/1.1 403 Forbidden" responses for
> authenticated users without enough privileges.
> - The Unauthorized handling is currently done by the CookieCrumbler. It
> hooks into the error handling process by overriding some methods of the
> HTTPResponse objects. Internal Zope changes did partially break this in
> Zope < 2.12.5, there is no guarantee the hooks will work in future.
> Meanwhile a much better hook exists for exception handling: Exception
> views. I propose to move most of the Unauthorized handling to a new
> exception view in the ICMFDefaultSkin layer.
> All Unauthorized exceptions inside a CMF site are converted by the view.
> Into a Redirect exception for anonymous users and into a Forbidden
> exception for authenticated users.
> The redirect target is looked up in the 'user/login' Action, making
> CookieCrumbler's auto_login_page setting obsolete. The unauth_page
> setting will no longer be supported.
> CookieCrumbler and therefore CMFCore will loose the redirect feature.
> If there are no objections, I'll check in that change on CMF trunk.
Tres Seaver +1 540-429-0999 tsea...@palladion.com
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
Zope-CMF maillist - Zope-CMF@zope.org
See https://bugs.launchpad.net/zope-cmf/ for bug reports and feature requests