[Zope-dev] Re: Suggestion for small(?) change in BaseRequest.py.
Security effects?
Tres Seaver
tseaver at zope.com
Fri Sep 3 08:56:37 EDT 2004
Lennart Regebro wrote:
> Dieter Maurer wrote:
>
>> Lennart Regebro wrote at 2004-9-2 12:38 +0200:
>>
>>> ...
>>> Are there any other problems with NOT raising an exception in
>>> unathorized(). Becuase if there is, we probably limit the possible
>>> challenge responses to a redirect, and then this change makes no
>>> difference.
>>
>>
>>
>> If the traversal made any changes to persistent state, then
>> these changes are committed rather than aborted.
>>
>> Usually, traversal should not change the persistent state -- but...
>
>
> Would the transaction.abort() addition suggested by Tino be enough to
> solve that?
Lennart,
I am worried that there may be third-party application code which relies
on 'validate' to raise an exception. Returning the login form directly
is not really a big win over a redirect; among other things, it messes
up cacheability, because the URL no longer corresponds to the "real"
content.
Tres.
--
===============================================================
Tres Seaver tseaver at zope.com
Zope Corporation "Zope Dealers" http://www.zope.com
More information about the Zope-Dev
mailing list