[Zope-dev] Unauthorized handling in Zope2

yuppie y.2010 at wcm-solutions.de
Tue Apr 20 09:17:31 EDT 2010


Hi!


Wichert Akkerman wrote:
> Unauthorised is doing stupid things here:
>
> (Pdb) p v
> Unauthorized()
> (Pdb) p unicode(v)
> u''
> (Pdb) p str(v)
> *** UnicodeEncodeError: UnicodeEncodeError('ascii',
>        u'<!DOCTYPE html...', 1175, 1176, 'ordinal not in range(128)')
>
> I added an extra change (see diff below) to fix that, after which things
> seemed to work.

Great!

> Still, I can not see any good reason to reraise
> Unauthorised exceptions if there is a valid exception view for them.
> This approach feels like we are attacking the symptom instead of fixing
> the problem.

Zope 2.12.4 was definitely broken:

401 Unauthorized responses "MUST include a WWW-Authenticate header 
field", see
http://tools.ietf.org/html/rfc2616#section-10.4.2

Re-raising the exceptions makes sure the post-processing in 
HTTPResponse.exception is called. That is also expected by 
CookieCrumbler and PAS.

A better fix would be to store the rendered exception value in the 
response object instead of the exception object. That way we could 
re-raise *all* exceptions as it was done in older Zope versions.

But this would have been a bigger refactoring with more risks to break 
something else.


Cheers,

	Yuppie


More information about the Zope-Dev mailing list