-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 yuppie wrote: > Hi! > > > The refactoring on the cookiecrumbler_with_views branch is almost done. > There are 3 small CookieCrumbler 'features' I'd like to remove before > merging the changes into CMF trunk: > > > 1.) insufficient privileges page (unauth_page property) > ======================================================= > > Logged in users are usually redirected to a view that tells them they > don't have sufficient privileges. Anonymous users are usually redirected > to a login form. AFAICS PAS has no built in support for that distinction > and Plone uses require_login as dispatcher. > > By default CookieCrumbler only redirects anonymous users to the login > form. But allows to specify a redirect target for logged in users in the > unauth_page property. > > I propose to remove that feature because all redirection logic is moved > to the UnauthorizedView. By default Forbidden is raised with a message > similar to Plone's insufficient_privileges. If you want to customize > that, you have to override the UnauthorizedView.
+1. > 2.) redirect loop detection (disable_cookie_login__ parameter) > ============================================================== > > AFAICS the special disable_cookie_login__=1 behavior is only used to > prevent redirect loops caused by unauthorized exceptions in the > login_form. This can only happen in mis-configured sites. And browsers > are responsible for ending infinite redirect loops, so even in the case > of misconfiguration nothing bad happens. > > I propose to remove that feature completely. I there is a reason why we > have to detect redirect loops, we should at least do it without a > special query parameter. CookieAuthHelper.unauthorized of PAS checks if > ACTUAL_URL is the login_form URL. +1. > 3.) retry detection (retry parameter) > ===================================== > > AFAICS no special retry=1 behavior is implemented, so I can't see a > reason why we should set the retry parameter. PAS also works without > that feature. I propose to remove that feature completely. +1. Ters. - -- =================================================================== Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkwWL+0ACgkQ+gerLs4ltQ6gjwCgt2QcbsDvqE+vOmzrxY/PhatR mM4An06At/BtYAimlahedQexDOnoIK6a =d8wG -----END PGP SIGNATURE----- _______________________________________________ Zope-CMF maillist - Zope-CMF@zope.org https://mail.zope.org/mailman/listinfo/zope-cmf See https://bugs.launchpad.net/zope-cmf/ for bug reports and feature requests