Improve Tile Unauthorized Handling

[jensens]

At the moment there can be the case that we register a tile which gets called, but raises a 401Unauthorized. @@plone.app.standardtiles.lockinfo is such an example.

IMO it is

• overall fine if a tiles defines a view permission.
• if the permission is not sufficient it wont get rendered,
• otherwise it is in

This is similar to existing viewlet logic. But thats not what happens.

At the moment the tile is rendered, fails, raises a 401, 401 is catched and a 302 to the login page is produced, whole login page is delivered with a 200.

What I did to achieve the behavior above is in pull #34. But its not the best way to fix it. Here why:

First we have an explicit permission set in configuration. This could be checked before the tile is rendered at all. The current code makes it difficult to do this.

Second we may have Unauthorized errors we want to raise! This is true if the tile itself has the permission to render, but the executed code to render the tile itself raises a 401 (my PR above does not make a difference so far - so its not perfect, but better than the current situation).

Changes we need:

1. check before any rendering is tried if permission applies (ESI is in here too!) . If not render empty.
2. if the tile code is executed and an Unauthorized is raised, handle it, but
3. do not render a login form as a tile result! Propagate the redirect to the login form to the main request.

[jensens]

And plone/plone.tiles#7 is the foundation to get the necessary information for the pre-rendering-check.

[datakurre]

Nice. FWIW, when new releases for these and p.a.mosaic 2.x are needed, @esteele was willing to take care of the future releases (as the goal is to bundle these with core sometime later).

On 23. huhtikuuta 2016 klo 20.33 +0300, Jens W. Kleinnotifications@github.com, wrote:

Andplone/plone.tiles#7(plone/plone.tiles#7 the foundation to get the necessary information for the pre-rendering-check.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly orview it on GitHub(#35 (comment))

[datakurre]

@jensens Did you manage to finish this? I don't remember.

[jensens]

No, I implemented the base for this and it logs now unauthorized and returns empty strings, but the problem to pre-check was not solved.

So above (2) is almost done, except that it does not (3) and (1) and (3) are still open.

[datakurre]

@jensens For LockInfoTile, would it be ok, if we made it zope2.View, but would render it empty without cmf.ModifyPortalContent? Sure it would not be nice to make it a special case of this, but it kind of is a special case, because it could be called for every page.

[datakurre]

FWIW ESI seems to handle Unauthorized by simply replacing esi:include with nothing, which is the correct behavior.

[datakurre]

@jensens I believe that I found a simple alternative to this. It's possible to optionally override ZServer exception handling (became possible sometime during Plone 4). A custom exception factory could either render it's own exception or return None to fallback to the default. The biggest issue with that is, of course, that you an only override them once and doing that by default would prevent local customizations.

Anyway, this is my current configuration, which renders minimal exception responses for ESI tile requests. very similar should work with test for subrequests:

@configure.adapter.factory(name='index.html')
@adapter(INotFound, IStandardTilesLayer)
@implementer(Interface)
def NotFound(exception_class, request):
    if not request.getHeader('X-Esi-Level'):
        return None

    request.response.status = 404
    url = request.getURL().split('&_esi=')[0]
    return lambda: '<!-- 404 Not Found: {0:s} -->'.format(url)


@configure.adapter.factory(name='index.html')
@adapter(IBadRequest, IStandardTilesLayer)
@implementer(Interface)
def BadRequest(exception_class, request):
    if not request.getHeader('X-Esi-Level'):
        return None

    request.response.status = 400
    url = request.getURL().split('&_esi=')[0]
    return lambda: '<!-- 400 Bad request: {0:s} -->'.format(url)


@configure.adapter.factory(name='index.html')
@adapter(IForbidden, IStandardTilesLayer)
@implementer(Interface)
def Forbidden(exception_class, request):
    if not request.getHeader('X-Esi-Level'):
        return None

    request.response.status = 401
    url = request.getURL().split('&_esi=')[0]
    return lambda: '<!-- 401 Forbidden: {0:s} -->'.format(url)


@configure.adapter.factory(name='index.html')
@adapter(Interface, IStandardTilesLayer)
@implementer(Interface)
def InternalServerError(exception_class, request):
    if not request.getHeader('X-Esi-Level'):
        return None

    request.response.status = 500
    url = request.getURL().split('&_esi=')[0]
    return lambda: '<!-- 500 Internal Server Error: {0:s} -->'.format(url)

[datakurre]

Actually, because the adaptation is against (exception, request), normal exception view registration against subrequest marker should work. (subrequest does not call those exception views at all)

[jensens]

As far as I know there is a problem with this approach in Zope 4. @davisagli @pbauer do you know details?

[davisagli]

@jensens no, actually exception views like this are the approach that Zope 4 requires in order to render custom responses for exceptions (rather than the old standard_error_message hook). The zopeplone4 branch of CMFPlone registers a few generic exception views, but they are for the default layer. So this approach looks forward-compatible to me.