fix secured views to avoid being applied to exception views #3741
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mmerickel
force-pushed
the
fix-authdebug-view
branch
from
40b1013
to
6c00625
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
fixes #3736
Found some scenarios in which an exception view was wrapped in secure views which is not intended after info.exception_only was added. The main issue encountered is that there were tests for
info.exception_only and permission is Nonebut actually a default exception view haspermission == NO_PERMISSION_REQUIREDso this new logic normalizes that.While in there, I was able to re-order a bunch of the logic to early-out quicker.
Because exception views are no longer involved in security checks, this avoids the issue ran into via #3736 where an invalid URL was tested, which shouldn't happen while processing any normal exception views.