[Zope-CMF] [dev] Unauthorized handling - a proposal

Tres Seaver tseaver at palladion.com
Tue Apr 20 12:40:52 EDT 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

yuppie wrote:
> Hi!
> 
> 
> Current situation:
> 
> - By default Zope publishes Unauthorized exceptions as "HTTP/1.1 401 
> Unauthorized" responses including a basic authentication challenge.
> 
> - If the user is not logged in, CMF converts Unauthorized exceptions 
> into redirects. The redirect sends them to the login form and has a 
> "came_from=" in the query string.
> 
> - If the user is already logged in, the default Zope behavior is used. 
> Or the request is redirected to the unauth_page if specified. I don't 
> know if anybody is using the unauth_page feature. I think a good default 
> behavior would be to return "HTTP/1.1 403 Forbidden" responses for 
> authenticated users without enough privileges.
> 
> - The Unauthorized handling is currently done by the CookieCrumbler. It 
> hooks into the error handling process by overriding some methods of the 
> HTTPResponse objects. Internal Zope changes did partially break this in 
> Zope < 2.12.5, there is no guarantee the hooks will work in future.
> 
> 
> Proposal:
> 
> Meanwhile a much better hook exists for exception handling: Exception 
> views. I propose to move most of the Unauthorized handling to a new 
> exception view in the ICMFDefaultSkin layer.
> 
> All Unauthorized exceptions inside a CMF site are converted by the view. 
> Into a Redirect exception for anonymous users and into a Forbidden 
> exception for authenticated users.
> 
> The redirect target is looked up in the 'user/login' Action, making 
> CookieCrumbler's auto_login_page setting obsolete. The unauth_page 
> setting will no longer be supported.
> 
> CookieCrumbler and therefore CMFCore will loose the redirect feature.
> 
> 
> If there are no objections, I'll check in that change on CMF trunk.

+1.


Tres.
- --
===================================================================
Tres Seaver          +1 540-429-0999          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkvN2RQACgkQ+gerLs4ltQ58FwCdHh/mOORuBz8pvTmGr2cJtHba
NM4AoLeUafYGzUko6uM2uRhqQ0SzY5P4
=DHRR
-----END PGP SIGNATURE-----



More information about the Zope-CMF mailing list