[Zope-dev] Itemtraverser and Unauthorized vs Views
Marius Gedminas
marius at gedmin.as
Thu Jul 3 19:10:33 EDT 2008
On Tue, Jun 24, 2008 at 01:39:28PM +0200, Christian Theune wrote:
> I have a problem with the standard item traverser provided by
> zope.app.container:
>
> The item traverser looks up a object using the given name and a __getitem__
> call on the context. If this raises a KeyError it tries to look up a view
> given the same name.
>
> If the user does not have the permission to access __getitem__ it will let the
> Unauthorized exception pass through.
>
> I my situation I have two views for which the user doesn't really need the
> permission to access __getitem__ on the container but they can't access the
> views because the __getitem__ call will be tried anyway.
>
> I can explicitly make the URL use '@@viewname' and bypass the item traverser,
> but I don't like the @@s in the URL. I wonder whether adding Unauthorized to
> the KeyError would be reasonable.
I think not. At least it should not convert Unauthorized into NotFound.
If I can access a location (say, http://localhost/container/item) when
I'm logged in, then if I try that as an anonymous user, I should get an
authentication dialog rather than a 404 Not Found page.
Marius Gedminas
--
If nothing else helps, read the documentation.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: Digital signature
Url : http://mail.zope.org/pipermail/zope-dev/attachments/20080704/5590bd33/attachment.bin
More information about the Zope-Dev
mailing list