The view for the unauthorized exception (zope/app/exception/browser/ gets the authentication utility to issue a challenge, and then draws a page. Drawing the page is silly in some cases, and problematic in others.

In particular, for session credentials, the user is redirected to another page because she received an Unauthorized exception on this one: there is no need to draw an unviewed page for the redirect request (and I think we don't care about browsers that can't handle a redirect request).

Moreover, if the metal macro page that wraps the drawn page itself raises an unauthorized error, the redirect can be overridden.


Make the unauthorized view smarter: call the authentication utility's unauthorized method before rendering the page, and if the request then has a 303 status, don't bother to render the page. This is simply the default view, so if someone really cares about a browser that doesn't support redirects, they can register one more like the one we have now.


Requires more developer work to support browsers that don't support redirects.


Zope3-dev mailing list

Reply via email to