[Zope3-dev] mini-proposal: make unauthorized exception view smarter

Gary Poster gary at zope.com
Thu Jan 5 14:21:18 EST 2006


Problem:

The view for the unauthorized exception (zope/app/exception/browser/ 
unauthorized.py/.pt) gets the authentication utility to issue a  
challenge, and then draws a page.   Drawing the page is silly in some  
cases, and problematic in others.

In particular, for session credentials, the user is redirected to  
another page because she received an Unauthorized exception on this  
one: there is no need to draw an unviewed page for the redirect  
request (and I think we don't care about browsers that can't handle a  
redirect request).

Moreover, if the metal macro page that wraps the drawn page itself  
raises an unauthorized error, the redirect can be overridden.

Solution:

Make the unauthorized view smarter: call the authentication utility's  
unauthorized method before rendering the page, and if the request  
then has a 303 status, don't bother to render the page.  This is  
simply the default view, so if someone really cares about a browser  
that doesn't support redirects, they can register one more like the  
one we have now.

Risks:

Requires more developer work to support browsers that don't support  
redirects.

Thoughts?

Gary


More information about the Zope3-dev mailing list