-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 yuppie wrote: > Hi! > > > Current situation: > > - By default Zope publishes Unauthorized exceptions as "HTTP/1.1 401 > Unauthorized" responses including a basic authentication challenge. > > - If the user is not logged in, CMF converts Unauthorized exceptions > into redirects. The redirect sends them to the login form and has a > "came_from=" in the query string. > > - If the user is already logged in, the default Zope behavior is used. > Or the request is redirected to the unauth_page if specified. I don't > know if anybody is using the unauth_page feature. I think a good default > behavior would be to return "HTTP/1.1 403 Forbidden" responses for > authenticated users without enough privileges. > > - The Unauthorized handling is currently done by the CookieCrumbler. It > hooks into the error handling process by overriding some methods of the > HTTPResponse objects. Internal Zope changes did partially break this in > Zope < 2.12.5, there is no guarantee the hooks will work in future. > > > Proposal: > > Meanwhile a much better hook exists for exception handling: Exception > views. I propose to move most of the Unauthorized handling to a new > exception view in the ICMFDefaultSkin layer. > > All Unauthorized exceptions inside a CMF site are converted by the view. > Into a Redirect exception for anonymous users and into a Forbidden > exception for authenticated users. > > The redirect target is looked up in the 'user/login' Action, making > CookieCrumbler's auto_login_page setting obsolete. The unauth_page > setting will no longer be supported. > > CookieCrumbler and therefore CMFCore will loose the redirect feature. > > > If there are no objections, I'll check in that change on CMF trunk.
+1. Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkvN2RQACgkQ+gerLs4ltQ58FwCdHh/mOORuBz8pvTmGr2cJtHba NM4AoLeUafYGzUko6uM2uRhqQ0SzY5P4 =DHRR -----END PGP SIGNATURE----- _______________________________________________ Zope-CMF maillist - Zope-CMF@zope.org https://mail.zope.org/mailman/listinfo/zope-cmf See https://bugs.launchpad.net/zope-cmf/ for bug reports and feature requests