[Zope-dev] Unauthorized handling in Zope2

Wichert Akkerman wichert at wiggy.net
Tue Apr 20 09:22:22 EDT 2010


On 4/20/10 15:17 , yuppie wrote:
> Hi!
>
>
> Wichert Akkerman wrote:
>> Unauthorised is doing stupid things here:
>>
>> (Pdb) p v
>> Unauthorized()
>> (Pdb) p unicode(v)
>> u''
>> (Pdb) p str(v)
>> *** UnicodeEncodeError: UnicodeEncodeError('ascii',
>>         u'<!DOCTYPE html...', 1175, 1176, 'ordinal not in range(128)')
>>
>> I added an extra change (see diff below) to fix that, after which things
>> seemed to work.
>
> Great!

Can you commit that change along with your other changes?

>> Still, I can not see any good reason to reraise
>> Unauthorised exceptions if there is a valid exception view for them.
>> This approach feels like we are attacking the symptom instead of fixing
>> the problem.
>
> Zope 2.12.4 was definitely broken:
>
> 401 Unauthorized responses "MUST include a WWW-Authenticate header
> field", see
> http://tools.ietf.org/html/rfc2616#section-10.4.2

Hm, fair point.

> Re-raising the exceptions makes sure the post-processing in
> HTTPResponse.exception is called. That is also expected by
> CookieCrumbler and PAS.

The authentication dance between the publisher, request, PAS and 
CookieCrumbler really is a bit contrived :(

> A better fix would be to store the rendered exception value in the
> response object instead of the exception object. That way we could
> re-raise *all* exceptions as it was done in older Zope versions.
>
> But this would have been a bigger refactoring with more risks to break
> something else.

Perhaps something for 2.13 :)

Wichert.


More information about the Zope-Dev mailing list