Hash: SHA1

yuppie wrote:
> Hi!
> Current situation:
> - By default Zope publishes Unauthorized exceptions as "HTTP/1.1 401 
> Unauthorized" responses including a basic authentication challenge.
> - If the user is not logged in, CMF converts Unauthorized exceptions 
> into redirects. The redirect sends them to the login form and has a 
> "came_from=" in the query string.
> - If the user is already logged in, the default Zope behavior is used. 
> Or the request is redirected to the unauth_page if specified. I don't 
> know if anybody is using the unauth_page feature. I think a good default 
> behavior would be to return "HTTP/1.1 403 Forbidden" responses for 
> authenticated users without enough privileges.
> - The Unauthorized handling is currently done by the CookieCrumbler. It 
> hooks into the error handling process by overriding some methods of the 
> HTTPResponse objects. Internal Zope changes did partially break this in 
> Zope < 2.12.5, there is no guarantee the hooks will work in future.
> Proposal:
> Meanwhile a much better hook exists for exception handling: Exception 
> views. I propose to move most of the Unauthorized handling to a new 
> exception view in the ICMFDefaultSkin layer.
> All Unauthorized exceptions inside a CMF site are converted by the view. 
> Into a Redirect exception for anonymous users and into a Forbidden 
> exception for authenticated users.
> The redirect target is looked up in the 'user/login' Action, making 
> CookieCrumbler's auto_login_page setting obsolete. The unauth_page 
> setting will no longer be supported.
> CookieCrumbler and therefore CMFCore will loose the redirect feature.
> If there are no objections, I'll check in that change on CMF trunk.


- --
Tres Seaver          +1 540-429-0999          tsea...@palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


Zope-CMF maillist  -  Zope-CMF@zope.org

See https://bugs.launchpad.net/zope-cmf/ for bug reports and feature requests

Reply via email to