[Zope-CMF] [dev] CookieCrumbler cleanup

yuppie y.2010 at wcm-solutions.de
Mon Jun 14 08:06:22 EDT 2010


The refactoring on the cookiecrumbler_with_views branch is almost done. 
There are 3 small CookieCrumbler 'features' I'd like to remove before 
merging the changes into CMF trunk:

1.) insufficient privileges page (unauth_page property)

Logged in users are usually redirected to a view that tells them they 
don't have sufficient privileges. Anonymous users are usually redirected 
to a login form. AFAICS PAS has no built in support for that distinction 
and Plone uses require_login as dispatcher.

By default CookieCrumbler only redirects anonymous users to the login 
form. But allows to specify a redirect target for logged in users in the 
unauth_page property.

I propose to remove that feature because all redirection logic is moved 
to the UnauthorizedView. By default Forbidden is raised with a message 
similar to Plone's insufficient_privileges. If you want to customize 
that, you have to override the UnauthorizedView.

2.) redirect loop detection (disable_cookie_login__ parameter)

AFAICS the special disable_cookie_login__=1 behavior is only used to 
prevent redirect loops caused by unauthorized exceptions in the 
login_form. This can only happen in mis-configured sites. And browsers 
are responsible for ending infinite redirect loops, so even in the case 
of misconfiguration nothing bad happens.

I propose to remove that feature completely. I there is a reason why we 
have to detect redirect loops, we should at least do it without a 
special query parameter. CookieAuthHelper.unauthorized of PAS checks if 
ACTUAL_URL is the login_form URL.

3.) retry detection (retry parameter)

AFAICS no special retry=1 behavior is implemented, so I can't see a 
reason why we should set the retry parameter. PAS also works without 
that feature. I propose to remove that feature completely.

Please let me know if there are any objections.



More information about the Zope-CMF mailing list