[Zope-dev] PAS CookieAuthHelper and insufficient privileges

Tres Seaver tseaver at palladion.com
Wed Oct 13 12:16:48 EDT 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/11/2010 08:21 PM, Laurence Rowe wrote:
> I'm currently implementing single sign on across Plone sites but have
> run into a bit of an issue with the CookieAuthHelper.
> 
> Unauthorized accesses are redirected to its login_path attribute even
> when a user is already logged in. Plone works around this with a
> require_login script that traverses to insufficient_privileges (rather
> than login_form) when the user is not anonymous.
> http://dev.plone.org/plone/browser/Plone/trunk/Products/CMFPlone/skins/plone_login/require_login.py
> 
> I'd like to avoid having two redirects (one to require_login and then
> one to the remote login page).
> 
> One option (as suggested in require_login.py) would be to have
> CookieAuthHelper traverse rather than redirect to the login_path so
> that sites could override the behaviour, though they would then
> presumably need to duplicate the functionality currently in
> CookieAuthHelper.unauthorized (which I must admit to only barely
> understanding...)
> http://zope3.pov.lt/trac/browser/Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/CookieAuthHelper.py
> 
> Instead, it would seem to make sense to move this functionality login
> / insufficient privileges functionality into the CookieAuthHelp
> itself. I could add an insufficient_privs_path and redirect there
> instead of login_path when a user is already authorized.
> 
> Yet another option would be to let logged in unauthorized to percolate
> up and implement that page with an error view.
> 
> Any opinions? I'm leaning towards adding an insufficient_privs_path as
> it seems simplest and least invasive. (When not set it would just use
> login_path as normal).

Please do this kind of disruptive change in a *new* plugin, perhaps
subclassed from the existing one.  The whole point of plugins in the
first place was to allow for folks with different needs to handle them
by replacement.


Tres.
- -- 
===================================================================
Tres Seaver          +1 540-429-0999          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAky123AACgkQ+gerLs4ltQ7L+wCZASZR/p9/K/0W+/Yski/6nMBp
LkQAnj6nCfaq+1oTXK4JRgxvqxpxPE5n
=Fh3T
-----END PGP SIGNATURE-----



More information about the Zope-Dev mailing list