The refactoring on the cookiecrumbler_with_views branch is almost done.
There are 3 small CookieCrumbler 'features' I'd like to remove before
merging the changes into CMF trunk:
1.) insufficient privileges page (unauth_page property)
Logged in users are usually redirected to a view that tells them they
don't have sufficient privileges. Anonymous users are usually redirected
to a login form. AFAICS PAS has no built in support for that distinction
and Plone uses require_login as dispatcher.
By default CookieCrumbler only redirects anonymous users to the login
form. But allows to specify a redirect target for logged in users in the
I propose to remove that feature because all redirection logic is moved
to the UnauthorizedView. By default Forbidden is raised with a message
similar to Plone's insufficient_privileges. If you want to customize
that, you have to override the UnauthorizedView.
2.) redirect loop detection (disable_cookie_login__ parameter)
AFAICS the special disable_cookie_login__=1 behavior is only used to
prevent redirect loops caused by unauthorized exceptions in the
login_form. This can only happen in mis-configured sites. And browsers
are responsible for ending infinite redirect loops, so even in the case
of misconfiguration nothing bad happens.
I propose to remove that feature completely. I there is a reason why we
have to detect redirect loops, we should at least do it without a
special query parameter. CookieAuthHelper.unauthorized of PAS checks if
ACTUAL_URL is the login_form URL.
3.) retry detection (retry parameter)
AFAICS no special retry=1 behavior is implemented, so I can't see a
reason why we should set the retry parameter. PAS also works without
that feature. I propose to remove that feature completely.
Please let me know if there are any objections.
Zope-CMF maillist - Zope-CMF@zope.org
See https://bugs.launchpad.net/zope-cmf/ for bug reports and feature requests