On Wed, 2006-01-25 at 17:25 -0500, Tres Seaver wrote:
> Hash: SHA1
> Stephan Richter wrote:
> > On Wednesday 25 January 2006 05:40, Christian Theune wrote:
> > 
> >>I'm quite sure that part b) isn't written yet, but I'm not sure what the
> >>state of part a) is.
> > 
> > 
> > (a) is done. It is indeed the default Zope behavior.
> Hmm, I thought that Zope3's security machinery set the response code to
> 403 (forbidden) rather than a 401 (Unauthorized) if the user is already
> authenticated. but then tries to do something not allowed.  Browsers
> (rightfully) don't treat a 403 as a prompt to reauthenticate.  The
> configureed authentication service *may* override that to raise
> Unauthorized, but that is not mandated.

I think Zope has a notion of saying "there is no way you could authorize
to do this" and "well. you can't do this now, but you might be able".

I think the first thing would be totally private stuff (like in Zope 2
using declarePrivate()) whereas the second thing would be things where
the user just misses a permission.

AFAIK things without permission declarations are private and the user
stands no chance to provide credentials that give him enough grants.


gocept gmbh & co. kg - forsterstra├če 29 - 06112 halle/saale - germany
www.gocept.com - [EMAIL PROTECTED] - phone +49 345 122 9889 7 -
fax +49 345 122 9889 1 - zope and plone consulting and development

Attachment: signature.asc
Description: This is a digitally signed message part

Zope3-dev mailing list
Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com

Reply via email to