[Zope3-dev] Re: Question about re-authentication

Christian Theune ct at gocept.com
Thu Jan 26 06:11:16 EST 2006


On Wed, 2006-01-25 at 17:25 -0500, Tres Seaver wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Stephan Richter wrote:
> > On Wednesday 25 January 2006 05:40, Christian Theune wrote:
> > 
> >>I'm quite sure that part b) isn't written yet, but I'm not sure what the
> >>state of part a) is.
> > 
> > 
> > (a) is done. It is indeed the default Zope behavior.
> 
> Hmm, I thought that Zope3's security machinery set the response code to
> 403 (forbidden) rather than a 401 (Unauthorized) if the user is already
> authenticated. but then tries to do something not allowed.  Browsers
> (rightfully) don't treat a 403 as a prompt to reauthenticate.  The
> configureed authentication service *may* override that to raise
> Unauthorized, but that is not mandated.

I think Zope has a notion of saying "there is no way you could authorize
to do this" and "well. you can't do this now, but you might be able".

I think the first thing would be totally private stuff (like in Zope 2
using declarePrivate()) whereas the second thing would be things where
the user just misses a permission.

AFAIK things without permission declarations are private and the user
stands no chance to provide credentials that give him enough grants.

Christian

-- 
gocept gmbh & co. kg - forsterstraße 29 - 06112 halle/saale - germany
www.gocept.com - ct at gocept.com - phone +49 345 122 9889 7 -
fax +49 345 122 9889 1 - zope and plone consulting and development
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mail.zope.org/pipermail/zope3-dev/attachments/20060126/c7c6d22a/attachment.bin


More information about the Zope3-dev mailing list