From 3aa11614b552b439dbfdc6261413b3ac8ae0131a Mon Sep 17 00:00:00 2001
From: Evan Rusackas <evan@preset.io>
Date: Wed, 15 Dec 2021 17:11:04 -0700
Subject: [PATCH] fix: change 401 response to a 403 for Security Exceptions
 (#17768)

* fix: change 401 to 403 for Security Exceptions

* updating tests to reflect new (proper) status code

* another test update
---
 superset/exceptions.py                                        | 2 +-
 tests/integration_tests/charts/data/api_tests.py              | 4 ++--
 .../dashboards/security/security_rbac_tests.py                | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/superset/exceptions.py b/superset/exceptions.py
index 2a902608a6a9..6ed3a0e8661e 100644
--- a/superset/exceptions.py
+++ b/superset/exceptions.py
@@ -149,7 +149,7 @@ def __init__(
 
 
 class SupersetSecurityException(SupersetErrorException):
-    status = 401
+    status = 403
 
     def __init__(
         self, error: SupersetError, payload: Optional[Dict[str, Any]] = None
diff --git a/tests/integration_tests/charts/data/api_tests.py b/tests/integration_tests/charts/data/api_tests.py
index cf6d0b537f14..2831c291c709 100644
--- a/tests/integration_tests/charts/data/api_tests.py
+++ b/tests/integration_tests/charts/data/api_tests.py
@@ -464,7 +464,7 @@ def test_with_invalid_time_range_endpoints_enum_value__400(self):
 
         assert rv.status_code == 400
 
-    def test_with_not_permitted_actor__401(self):
+    def test_with_not_permitted_actor__403(self):
         """
         Chart data API: Test chart data query not allowed
         """
@@ -472,7 +472,7 @@ def test_with_not_permitted_actor__401(self):
         self.login(username="gamma")
         rv = self.post_assert_metric(CHART_DATA_URI, self.query_context_payload, "data")
 
-        assert rv.status_code == 401
+        assert rv.status_code == 403
         assert (
             rv.json["errors"][0]["error_type"]
             == SupersetErrorType.DATASOURCE_SECURITY_ACCESS_ERROR
diff --git a/tests/integration_tests/dashboards/security/security_rbac_tests.py b/tests/integration_tests/dashboards/security/security_rbac_tests.py
index c1be5a911ae3..bb97a35129fe 100644
--- a/tests/integration_tests/dashboards/security/security_rbac_tests.py
+++ b/tests/integration_tests/dashboards/security/security_rbac_tests.py
@@ -91,7 +91,7 @@ def test_get_dashboard_view__user_can_not_access_without_permission(self):
 
         request_payload = get_query_context("birth_names")
         rv = self.post_assert_metric(CHART_DATA_URI, request_payload, "data")
-        self.assertEqual(rv.status_code, 401)
+        self.assertEqual(rv.status_code, 403)
 
         # assert
         self.assert403(response)