[Zope-dev] Re: [Zope-Coders] Unauthorized results in 401, shouldn't it result in 403?

Chris Withers chris at simplistix.co.uk
Wed Apr 20 11:20:26 EDT 2005


Sidnei da Silva wrote:
> | Now, 5.2 is where I have the problem, since raising unauthorized 
> | anywhere in Zope traditionally pops up a basic auth box rather than 
> | returning standard_error_message with a 403 response which, as time goes 
> | by, I'm starting to think is what should really happen.
> 
> Yes! That too.
> 
> | 1. Should things change to work as I describe?
> 
> I would think so.

OK, but I would prefer more opinions on this, so moving to 
zope-dev at zope.org...

> | 2. Is the above behaviour pluggable at all?
> 
> Not at all.

Should it be? Can it be without impacting on performance?

> | 3. How does PAS handle failover from one authentication plugin to the next?
> 
> /me leaves slot for PAS experts to fill

...

> | 4. What kicks off the authentication process in Zope? Something being 
> | anonymously viewable or credentials being found in the request?
> 
> I've been looking at BaseRequest.traverse(). Basically, it tries to
> validate REQUEST._auth, 

What does? And what does validate mean in this context?

> being it set or not *wink* (when using

Right, and that was the source of the other thread?

> CookieCrumbler it's this variable is set from the cookie value) and
> that may result in a valid user or 'Anonymous User'.

Yeah, but how does CookieCrumbler stop a basic auth box being popped to 
the user when things aren't authorized?

> | PS: I suspect the answer to 4 varies depending on the type of auth :-(
> 
> I don't think so.

CookieCrumbler vs Everything Else: I think it does...

Chris

-- 
Simplistix - Content Management, Zope & Python Consulting
            - http://www.simplistix.co.uk


More information about the Zope-Dev mailing list