On 4/21/05, Chris Withers <[EMAIL PROTECTED]> wrote:
> > If it's accessible by anonymous that is the same as not requiring 
> > authorization.
> I don't think that's the case. I have a specific requirement on the
> project I'm currently working on to know who the current user is, even
> if the something is anonymously accessible.

So you *allow* authorization, and use it, but you don't *require* it.

> Perhaps userfolders should have the opportunity to do something as
> they're traversed through to authenticate, rather than waiting until
> something that requires authorisation kicks them off?

Sounds reasonable.

> > Nope, not IE. Yes, that is non-standard.
> Are you sure? I'm pretty sure I remember the ZMI's "logout" link working
> in IE, and that relies on returning 401's...

Last time I checked it didn't work.

> > But they do that so that if
> > you click on something that you can NOT access, you can continue
> > surfing without having to log in again. Which actually is pretty
> > reasonable in a way.
> ...not if they don't also provide a method to consciously drop basic
> auth headers ;-)

Yet Another Crappy Standard.

> Well, I have to say I was really disappointed when I read the W3C specs
> for response codes. They freely interchange authentication and
> authorization, which are two totally different concepts :-(


Lennart Regebro, Nuxeo     http://www.nuxeo.com/
CPS Content Management     http://www.cps-project.org/
Zope-Coders mailing list

Reply via email to