On 4/21/05, Chris Withers <[EMAIL PROTECTED]> wrote:
> > If it's accessible by anonymous that is the same as not requiring
> > authorization.
> I don't think that's the case. I have a specific requirement on the
> project I'm currently working on to know who the current user is, even
> if the something is anonymously accessible.
So you *allow* authorization, and use it, but you don't *require* it.
> Perhaps userfolders should have the opportunity to do something as
> they're traversed through to authenticate, rather than waiting until
> something that requires authorisation kicks them off?
> > Nope, not IE. Yes, that is non-standard.
> Are you sure? I'm pretty sure I remember the ZMI's "logout" link working
> in IE, and that relies on returning 401's...
Last time I checked it didn't work.
> > But they do that so that if
> > you click on something that you can NOT access, you can continue
> > surfing without having to log in again. Which actually is pretty
> > reasonable in a way.
> ...not if they don't also provide a method to consciously drop basic
> auth headers ;-)
Yet Another Crappy Standard.
> Well, I have to say I was really disappointed when I read the W3C specs
> for response codes. They freely interchange authentication and
> authorization, which are two totally different concepts :-(
Lennart Regebro, Nuxeo http://www.nuxeo.com/
CPS Content Management http://www.cps-project.org/
Zope-Coders mailing list