That's what I thought too, but it seems like the "standard" for pyramid is to show the login view for 403:
http://docs.pylonsproject.org/projects/pyramid/en/latest/tutorials/wiki/authorization.html#add-login-and-logout-views I think I will just rename my view from "login" to "not_authorized", and make the 403 response looks more conforming. On Feb 9, 5:50 pm, Simon Yarde <simonya...@me.com> wrote: > I'm pretty sure you need to be using 401 for pages that require > authorisation, and not 403. > > Maybe try to untangle your approach so that the login page is never throwing > 401 (or 403). The protected resource should raise the exception and your app > design handles it by issuing a redirect to login. The login should always be > publicly accessible, regardless of whether you tell the user they are already > logged in or not. URIs that represent content should not also serve login > forms. > > Or did I miss something? :) > > > 10.4.4 403 Forbidden > > > The server understood the request, but is refusing to fulfill it. > > Authorization will not help and the request SHOULD NOT be repeated. If the > > request method was not HEAD and the server wishes to make public why the > > request has not been fulfilled, it SHOULD describe the reason for the > > refusal in the entity. If the server does not wish to make this information > > available to the client, the status code 404 (Not Found) can be used > > instead. > > On 9 Feb 2012, at 09:39, Yap Sok Ann <sok...@gmail.com> wrote: > > > > > > > > > HTTPForbidden is exactly what I throw in the traversal code, which > > then get mapped to the login view. If I throw HTTPForbidden again in > > the login view, it will result in 500 Internal Server Error, thus I > > manually create a 403 response and return that instead. > > > On Feb 9, 9:13 am, Jonathan Vanasco <jonat...@findmeon.com> wrote: > >> i don't use traversal... but can't you just use an httpexception? > > >>http://readthedocs.org/docs/pyramid/en/1.0-branch/api/httpexceptions.... > > >> class HTTPForbidden(detail=None, headers=None, comment=None, > >> body_template=None, **kw) > >> subclass of HTTPClientError > >> This indicates that the server understood the request, but is > >> refusing to fulfill it. > >> code: 403, title: Forbidden > > >> from pyramid import httpexceptions > >> .... > >> return httpexceptions.HTTPForbidden() > > > -- > > You received this message because you are subscribed to the Google Groups > > "pylons-discuss" group. > > To post to this group, send email to pylons-discuss@googlegroups.com. > > To unsubscribe from this group, send email to > > pylons-discuss+unsubscr...@googlegroups.com. > > For more options, visit this group > > athttp://groups.google.com/group/pylons-discuss?hl=en. -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to pylons-discuss@googlegroups.com. To unsubscribe from this group, send email to pylons-discuss+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en.