[Zope3-checkins] [Checkins] SVN:z3c.layer.pagelet/branches/icemac_login_support/src/z3c/layer/pagelet/README.txtfixed test: when the unauthenticatedPrincipal is defined inZCML (see ftesting.zcml) 401 unauthorized is returned insteadof 403 forbidden wh

Roger Ineichen dev at projekt01.ch
Thu Mar 5 14:13:09 EST 2009


Hi

> Betreff: Re: [Zope3-checkins] [Checkins] 
> SVN:z3c.layer.pagelet/branches/icemac_login_support/src/z3c/la
> yer/pagelet/README.txtfixed test: when the 
> unauthenticatedPrincipal is defined inZCML (see 
> ftesting.zcml) 401 unauthorized is returned insteadof 403 forbidden wh
> 
> On Thursday 05 March 2009, Michael Howitz wrote:
> > Log message for revision 97539:
> >   fixed test: when the unauthenticatedPrincipal is defined in ZCML 
> > (see
> > ftesting.zcml) 401 unauthorized is returned instead of 403 
> forbidden 
> > when an unauthorized exception is raised
> >
> > Changed:
> >   U
> > 
> >z3c.layer.pagelet/branches/icemac_login_support/src/z3c/layer
> /pagelet/R
> >EADM
> >E.txt
> >
> > -=-
> > Modified:
> > 
> >z3c.layer.pagelet/branches/icemac_login_support/src/z3c/layer
> /pagelet/R
> >EADM E.txt 
> >===================================================================
> > ---
> > 
> >z3c.layer.pagelet/branches/icemac_login_support/src/z3c/layer
> /pagelet/R
> >EADM E.txt    2009-03-05 17:02:34 UTC (rev 97538) +++  
> >z3c.layer.pagelet/branches/icemac_login_support/src/z3c/layer
> /pagelet/R
> >EADM E.txt    2009-03-05 17:13:58 UTC (rev 97539) @@ -161,7 +161,7 @@
> >    >>> unauthorized.open(skinURL + '/@@forbidden.html')
> >    Traceback (most recent call last):
> >    ...
> > -  httperror_seek_wrapper: HTTP Error 403: Forbidden
> > +  HTTPError: HTTP Error 401: Unauthorized
> 
> Ok, strange. Could you add your log message text before the 
> text, so that people will know that when they read the test?

I think that's correct. An unauthorized principal will run
into a 401 Unauthorized exception befor it could raise an
403 Forbidden error.

An authorized principal which has not the right permission
whuold run into a 403 Forbidden error without to run into
a 401 Unauthorized exception.

It's important that the unauthorized principal runs into
a 401 error because that forces to hook in the authentication
concept e.g. force a login at browser side (basic auth etc)

And the authenticated principal with a missing permission
should probably not. And if they should, then that's a part
of a custom application concept. 

Anyway,
anything described above has nothing to do with the test.
As far as I see, the forbidden.html page is a stub page
raising Unauthorized for any case. Why do you except a
403 Forbidden?


Regards
Roger Ineichen

> Regards,
> Stephan
> --
> Stephan Richter
> Web Software Design, Development and Training Google me. 
> "Zope Stephan Richter"
> _______________________________________________
> Zope3-Checkins mailing list
> Zope3-Checkins at zope.org
> http://mail.zope.org/mailman/listinfo/zope3-checkins
> 



More information about the Zope3-Checkins mailing list