On Wed, 2006-01-25 at 17:25 -0500, Tres Seaver wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Stephan Richter wrote: > > On Wednesday 25 January 2006 05:40, Christian Theune wrote: > > > >>I'm quite sure that part b) isn't written yet, but I'm not sure what the > >>state of part a) is. > > > > > > (a) is done. It is indeed the default Zope behavior. > > Hmm, I thought that Zope3's security machinery set the response code to > 403 (forbidden) rather than a 401 (Unauthorized) if the user is already > authenticated. but then tries to do something not allowed. Browsers > (rightfully) don't treat a 403 as a prompt to reauthenticate. The > configureed authentication service *may* override that to raise > Unauthorized, but that is not mandated.
I think Zope has a notion of saying "there is no way you could authorize to do this" and "well. you can't do this now, but you might be able". I think the first thing would be totally private stuff (like in Zope 2 using declarePrivate()) whereas the second thing would be things where the user just misses a permission. AFAIK things without permission declarations are private and the user stands no chance to provide credentials that give him enough grants. Christian -- gocept gmbh & co. kg - forsterstraße 29 - 06112 halle/saale - germany www.gocept.com - [EMAIL PROTECTED] - phone +49 345 122 9889 7 - fax +49 345 122 9889 1 - zope and plone consulting and development
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Zope3-dev mailing list Zope3-dev@zope.org Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com