[Zope-CMF] [dev] Unauthorized handling - a proposal

Charlie Clark charlie.clark at clark-consulting.eu
Tue Apr 20 07:31:11 EDT 2010


Am 20.04.2010, 12:53 Uhr, schrieb yuppie <y.2010 at wcm-solutions.de>:

> Proposal:
> Meanwhile a much better hook exists for exception handling: Exception
> views. I propose to move most of the Unauthorized handling to a new
> exception view in the ICMFDefaultSkin layer.

Please add a separate folder for these views. We need to separate them  
 from the content ones. BTW. (For pedagogic reason I'm not too keen on  
EditForms being used when objects aren't being edited.)

> All Unauthorized exceptions inside a CMF site are converted by the view.
> Into a Redirect exception for anonymous users and into a Forbidden
> exception for authenticated users.
> The redirect target is looked up in the 'user/login' Action, making
> CookieCrumbler's auto_login_page setting obsolete. The unauth_page
> setting will no longer be supported.
> CookieCrumbler and therefore CMFCore will loose the redirect feature.
> If there are no objections, I'll check in that change on CMF trunk.

This is great. Having looked at the CookieCrumbler code, and its change  
log, it's that it hasn't seen much love in the last five years, while Zope  
and the rest of the CMF have come along in leaps and bounds.

So +1 from me but as per my other e-mails - what will the CookieCrumbler  
do afterwards?

Using a view means that there is a hardcoded relation between the login  
form and the login cookies.

This is the current interface for ICookieCrumbler with proposed  
deprecation decorators


class ICookieCrumbler(Interface):

     """Reads cookies during traversal and simulates the HTTP auth headers.
     """

     @deprecate auth_cookie = Attribute("""The key of the authorisation  
cookie""")
     @deprecate name_cookie = Attribute("""They key of the authorised user  
cookie""")
     @deprecate pw_cookie = Attribute("""The key of the password cookie""")
     persist_cookie = Attribute("""The key of the persistent cookie""")
     local_cookie_path = Attribute("""If True, the cookie tied to the local  
path?""")
     cache_header_value = Attribute("""If present, the login page will not  
be cached""")
     log_username = Attribute("""If True, the username will in appear in  
Zope's log""")

     def delRequestVar(req, name):
          """No errors of any sort may propagate, and we don't care *what*
           they are, even to log them."""

     def getCookiePath():
         """Get the path for the cookie
         the parent URL if local_cookie_path is True otherwise /"""
         return path

     @deprecate
     def getCookieMethod(name, default=None):
         """ Allow overridable cookie set/expiration methods."""
         return getattr(name, default)

     def defaultSetAuthCookie(resp, cookie_name, cookie_value):
         """Set the authorisation cookie"""

     def defaultExpireAuthCookie(resp, cookie_name):
         """Expire the cookie"""

     def _setAuthHeader(ac, request, response):
         """Set the auth headers for both the Zope and Medusa http request
         objects.
         """

     @deprecate
     def modifyRequest(req, resp):
         """Copies cookie-supplied credentials to the basic auth fields.

         Returns a flag indicating what the user is trying to do with
         cookies: ATTEMPT_NONE, ATTEMPT_LOGIN, or ATTEMPT_RESUME.  If
         cookie login is disabled for this request, raises
         CookieCrumblerDisabled.
         """

     def __call__(container, req):
         """The __before_publishing_traverse__ hook."""

     @deprecate
     def credentialsChanged(user, name, pw):
         """# XXX: this method violates the rules for tools/utilities:
         # it depends on self.REQUEST """

     @deprecate	
     def _cleanupResponse():
         """# XXX: this method violates the rules for tools/utilities:
         # it depends on self.REQUEST"""

     @deprecate
     def unauthorized():
         """Remove authentication cookies and redirect to standard  
unauthorized"""

     @deprecate
     def _unauthorized():
         """Remove authentication cookies and redirect to standard  
_unauthorized"""

     @deprecate
     def getUnauthorizedURL():
         """
         Redirects to the login page.
         """

     @deprecate
     def logout():
         """
         Logs out the user and redirects to the logout page.
         """

     def propertyLabel(id):
         """Return a label for the given property id
         """

I'm more than happy to help with this if there is anything I can do that  
doesn't mean you spend more time answering my questions than it would take  
to do the work! :-)

Charlie
-- 
Charlie Clark
Managing Director
Clark Consulting & Research
German Office
Helmholtzstr. 20
Düsseldorf
D- 40215
Tel: +49-211-600-3657
Mobile: +49-178-782-6226


More information about the Zope-CMF mailing list