From 69c6314177c107446550759468ca5ca19c9a88c5 Mon Sep 17 00:00:00 2001 From: Ian Ward Date: Tue, 26 Jan 2016 11:54:01 -0500 Subject: [PATCH] [#2846] use 403 or 404 when forbidden, not 401 --- ckan/config/middleware.py | 6 +- ckan/controllers/admin.py | 2 +- ckan/controllers/group.py | 60 +++++++------------- ckan/controllers/home.py | 2 +- ckan/controllers/package.py | 103 ++++++++++++----------------------- ckan/controllers/revision.py | 4 +- ckan/controllers/tag.py | 2 +- ckan/controllers/user.py | 37 ++++++------- ckanext/datapusher/plugin.py | 6 +- 9 files changed, 83 insertions(+), 139 deletions(-) diff --git a/ckan/config/middleware.py b/ckan/config/middleware.py index 75aa4f8a15a..5caa24a8afb 100644 --- a/ckan/config/middleware.py +++ b/ckan/config/middleware.py @@ -108,12 +108,12 @@ def make_app(conf, full_stack=True, static_files=True, **app_conf): # Handle Python exceptions app = ErrorHandler(app, conf, **config['pylons.errorware']) - # Display error documents for 401, 403, 404 status codes (and + # Display error documents for 400, 403, 404 status codes (and # 500 when debug is disabled) if asbool(config['debug']): - app = StatusCodeRedirect(app, [400, 404]) + app = StatusCodeRedirect(app, [400, 403, 404]) else: - app = StatusCodeRedirect(app, [400, 404, 500]) + app = StatusCodeRedirect(app, [400, 403, 404, 500]) # Initialize repoze.who who_parser = WhoConfig(conf['here']) diff --git a/ckan/controllers/admin.py b/ckan/controllers/admin.py index 5d103a1e054..079294cf1c3 100644 --- a/ckan/controllers/admin.py +++ b/ckan/controllers/admin.py @@ -28,7 +28,7 @@ def __before__(self, action, **params): try: logic.check_access('sysadmin', context, {}) except logic.NotAuthorized: - base.abort(401, _('Need to be system administrator to administer')) + base.abort(403, _('Need to be system administrator to administer')) c.revision_change_state_allowed = True def _get_config_form_items(self): diff --git a/ckan/controllers/group.py b/ckan/controllers/group.py index 0738b849032..c7d9a5ae4bc 100644 --- a/ckan/controllers/group.py +++ b/ckan/controllers/group.py @@ -160,7 +160,7 @@ def index(self): try: self._check_access('site_read', context) except NotAuthorized: - abort(401, _('Not authorized to see this page')) + abort(403, _('Not authorized to see this page')) # pass user info to context as needed to view private datasets of # orgs correctly @@ -218,10 +218,8 @@ def read(self, id, limit=20): data_dict['include_datasets'] = False c.group_dict = self._action('group_show')(context, data_dict) c.group = context['group'] - except NotFound: + except (NotFound, NotAuthorized): abort(404, _('Group not found')) - except NotAuthorized: - abort(401, _('Unauthorized to read group %s') % id) self._read(id, limit, group_type) return render(self._read_template(c.group_dict['type']), @@ -400,10 +398,8 @@ def bulk_process(self, id): data_dict['include_datasets'] = False c.group_dict = self._action('group_show')(context, data_dict) c.group = context['group'] - except NotFound: + except (NotFound, NotAuthorized): abort(404, _('Group not found')) - except NotAuthorized: - abort(401, _('Unauthorized to read group %s') % id) #use different form names so that ie7 can be detected form_names = set(["bulk_action.public", "bulk_action.delete", @@ -446,7 +442,7 @@ def bulk_process(self, id): try: get_action(action_functions[action])(context, data_dict) except NotAuthorized: - abort(401, _('Not authorized to perform bulk update')) + abort(403, _('Not authorized to perform bulk update')) base.redirect(h.url_for(controller='organization', action='bulk_process', id=id)) @@ -466,7 +462,7 @@ def new(self, data=None, errors=None, error_summary=None): try: self._check_access('group_create', context) except NotAuthorized: - abort(401, _('Unauthorized to create a group')) + abort(403, _('Unauthorized to create a group')) if context['save'] and not data: return self._save_new(context, group_type) @@ -508,10 +504,8 @@ def edit(self, id, data=None, errors=None, error_summary=None): c.grouptitle = old_data.get('title') c.groupname = old_data.get('name') data = data or old_data - except NotFound: + except (NotFound, NotAuthorized): abort(404, _('Group not found')) - except NotAuthorized: - abort(401, _('Unauthorized to read group %s') % '') group = context.get("group") c.group = group @@ -520,7 +514,7 @@ def edit(self, id, data=None, errors=None, error_summary=None): try: self._check_access('group_update', context) except NotAuthorized: - abort(401, _('User %r not authorized to edit %s') % (c.user, id)) + abort(403, _('User %r not authorized to edit %s') % (c.user, id)) errors = errors or {} vars = {'data': data, 'errors': errors, @@ -553,9 +547,7 @@ def _save_new(self, context, group_type=None): # Redirect to the appropriate _read route for the type of group h.redirect_to(group['type'] + '_read', id=group['name']) - except NotAuthorized: - abort(401, _('Unauthorized to read group %s') % '') - except NotFound, e: + except (NotFound, NotAuthorized), e: abort(404, _('Group not found')) except dict_fns.DataError: abort(400, _(u'Integrity Error')) @@ -585,9 +577,7 @@ def _save_edit(self, id, context): self._force_reindex(group) h.redirect_to('%s_read' % group['type'], id=group['name']) - except NotAuthorized: - abort(401, _('Unauthorized to read group %s') % id) - except NotFound, e: + except (NotFound, NotAuthorized), e: abort(404, _('Group not found')) except dict_fns.DataError: abort(400, _(u'Integrity Error')) @@ -615,7 +605,7 @@ def authz(self, id): except NotAuthorized: c.authz_editable = False if not c.authz_editable: - abort(401, + abort(403, _('User %r not authorized to edit %s authorizations') % (c.user, id)) @@ -636,7 +626,7 @@ def delete(self, id): try: self._check_access('group_delete', context, {'id': id}) except NotAuthorized: - abort(401, _('Unauthorized to delete group %s') % '') + abort(403, _('Unauthorized to delete group %s') % '') try: if request.method == 'POST': @@ -651,7 +641,7 @@ def delete(self, id): self._redirect_to_this_controller(action='index') c.group_dict = self._action('group_show')(context, {'id': id}) except NotAuthorized: - abort(401, _('Unauthorized to delete group %s') % '') + abort(403, _('Unauthorized to delete group %s') % '') except NotFound: abort(404, _('Group not found')) return self._render_template('group/confirm_delete.html', group_type) @@ -669,9 +659,7 @@ def members(self, id): data_dict = {'id': id} data_dict['include_datasets'] = False c.group_dict = self._action('group_show')(context, data_dict) - except NotAuthorized: - abort(401, _('Unauthorized to delete group %s') % '') - except NotFound: + except (NotFound, NotAuthorized): abort(404, _('Group not found')) return self._render_template('group/members.html', group_type) @@ -722,7 +710,7 @@ def member_new(self, id): else: c.user_role = 'member' except NotAuthorized: - abort(401, _('Unauthorized to add member to group %s') % '') + abort(403, _('Unauthorized to add member to group %s') % '') except NotFound: abort(404, _('Group not found')) except ValidationError, e: @@ -741,7 +729,7 @@ def member_delete(self, id): try: self._check_access('group_member_delete', context, {'id': id}) except NotAuthorized: - abort(401, _('Unauthorized to delete group %s members') % '') + abort(403, _('Unauthorized to delete group %s members') % '') try: user_id = request.params.get('user') @@ -754,7 +742,7 @@ def member_delete(self, id): c.user_id = user_id c.group_id = id except NotAuthorized: - abort(401, _('Unauthorized to delete group %s') % '') + abort(403, _('Unauthorized to delete group %s members') % '') except NotFound: abort(404, _('Group not found')) return self._render_template('group/confirm_delete_member.html', @@ -788,10 +776,8 @@ def history(self, id): #TODO: remove # Still necessary for the authz check in group/layout.html c.group = context['group'] - except NotFound: + except (NotFound, NotAuthorized): abort(404, _('Group not found')) - except NotAuthorized: - abort(401, _('User %r not authorized to edit %r') % (c.user, id)) format = request.params.get('format', '') if format == 'atom': @@ -847,12 +833,8 @@ def activity(self, id, offset=0): 'user': c.user, 'for_view': True} try: c.group_dict = self._get_group_dict(id) - except NotFound: + except (NotFound, NotAuthorized): abort(404, _('Group not found')) - except NotAuthorized: - abort(401, - _('Unauthorized to read group {group_id}').format( - group_id=id)) # Add the group's activity stream (already rendered to HTML) to the # template context for the group/read.html template to retrieve later. @@ -912,7 +894,7 @@ def followers(self, id): c.followers = \ get_action('group_follower_list')(context, {'id': id}) except NotAuthorized: - abort(401, _('Unauthorized to view followers %s') % '') + abort(403, _('Unauthorized to view followers %s') % '') return render('group/followers.html', extra_vars={'group_type': group_type}) @@ -943,7 +925,5 @@ def _get_group_dict(self, id): try: return self._action('group_show')( context, {'id': id, 'include_datasets': False}) - except NotFound: + except (NotFound, NotAuthorized): abort(404, _('Group not found')) - except NotAuthorized: - abort(401, _('Unauthorized to read group %s') % id) diff --git a/ckan/controllers/home.py b/ckan/controllers/home.py index da066c743be..3f76427c36c 100644 --- a/ckan/controllers/home.py +++ b/ckan/controllers/home.py @@ -23,7 +23,7 @@ def __before__(self, action, **env): 'auth_user_obj': c.userobj} logic.check_access('site_read', context) except logic.NotAuthorized: - base.abort(401, _('Not authorized to see this page')) + base.abort(403, _('Not authorized to see this page')) except (sqlalchemy.exc.ProgrammingError, sqlalchemy.exc.OperationalError), e: # postgres and sqlite errors for missing tables diff --git a/ckan/controllers/package.py b/ckan/controllers/package.py index 23222041123..2203983b8d7 100644 --- a/ckan/controllers/package.py +++ b/ckan/controllers/package.py @@ -139,7 +139,7 @@ def search(self): 'auth_user_obj': c.userobj} check_access('site_read', context) except NotAuthorized: - abort(401, _('Not authorized to see this page')) + abort(403, _('Not authorized to see this page')) # unicode format (decoded from utf8) q = c.q = request.params.get('q', u'') @@ -316,15 +316,13 @@ def resources(self, id): except NotFound: abort(404, _('Dataset not found')) except NotAuthorized: - abort(401, _('User %r not authorized to edit %s') % (c.user, id)) + abort(403, _('User %r not authorized to edit %s') % (c.user, id)) # check if package exists try: c.pkg_dict = get_action('package_show')(context, data_dict) c.pkg = context['package'] - except NotFound: + except (NotFound, NotAuthorized): abort(404, _('Dataset not found')) - except NotAuthorized: - abort(401, _('Unauthorized to read package %s') % id) package_type = c.pkg_dict['type'] or 'dataset' self._setup_template_variables(context, {'id': id}, @@ -423,7 +421,7 @@ def history(self, id): c.pkg = context['package'] except NotAuthorized: - abort(401, _('Unauthorized to read package %s') % '') + abort(403, _('Unauthorized to read package %s') % '') except NotFound: abort(404, _('Dataset not found')) @@ -491,7 +489,7 @@ def new(self, data=None, errors=None, error_summary=None): try: check_access('package_create', context) except NotAuthorized: - abort(401, _('Unauthorized to create a package')) + abort(403, _('Unauthorized to create a package')) if context['save'] and not data: return self._save_new(context, package_type=package_type) @@ -561,7 +559,7 @@ def resource_edit(self, id, resource_id, data=None, errors=None, return self.resource_edit(id, resource_id, data, errors, error_summary) except NotAuthorized: - abort(401, _('Unauthorized to edit this resource')) + abort(403, _('Unauthorized to edit this resource')) redirect(h.url_for(controller='package', action='resource_read', id=id, resource_id=resource_id)) @@ -638,7 +636,7 @@ def new_resource(self, id, data=None, errors=None, error_summary=None): try: data_dict = get_action('package_show')(context, {'id': id}) except NotAuthorized: - abort(401, _('Unauthorized to update dataset')) + abort(403, _('Unauthorized to update dataset')) except NotFound: abort(404, _('The dataset {id} could not be found.' ).format(id=id)) @@ -675,7 +673,7 @@ def new_resource(self, id, data=None, errors=None, error_summary=None): error_summary = e.error_summary return self.new_resource(id, data, errors, error_summary) except NotAuthorized: - abort(401, _('Unauthorized to create a resource')) + abort(403, _('Unauthorized to create a resource')) except NotFound: abort(404, _('The dataset {id} could not be found.' ).format(id=id)) @@ -711,7 +709,7 @@ def new_resource(self, id, data=None, errors=None, error_summary=None): check_access( 'resource_create', context, {"package_id": pkg_dict["id"]}) except NotAuthorized: - abort(401, _('Unauthorized to create a resource for this package')) + abort(403, _('Unauthorized to create a resource for this package')) package_type = pkg_dict['type'] or 'dataset' @@ -747,9 +745,7 @@ def edit(self, id, data=None, errors=None, error_summary=None): if data: old_data.update(data) data = old_data - except NotAuthorized: - abort(401, _('Unauthorized to read package %s') % '') - except NotFound: + except (NotFound, NotAuthorized): abort(404, _('Dataset not found')) # are we doing a multiphase add? if data.get('state', '').startswith('draft'): @@ -764,7 +760,7 @@ def edit(self, id, data=None, errors=None, error_summary=None): try: check_access('package_update', context) except NotAuthorized: - abort(401, _('User %r not authorized to edit %s') % (c.user, id)) + abort(403, _('User %r not authorized to edit %s') % (c.user, id)) # convert tags if not supplied in data if data and not data.get('tag_string'): data['tag_string'] = ', '.join(h.dict_list_reduce( @@ -797,9 +793,7 @@ def read_ajax(self, id, revision=None): 'revision_id': revision} try: data = get_action('package_show')(context, {'id': id}) - except NotAuthorized: - abort(401, _('Unauthorized to read package %s') % '') - except NotFound: + except (NotFound, NotAuthorized): abort(404, _('Dataset not found')) data.pop('tags') @@ -816,7 +810,7 @@ def history_ajax(self, id): pkg_revisions = get_action('package_revision_list')( context, data_dict) except NotAuthorized: - abort(401, _('Unauthorized to read package %s') % '') + abort(403, _('Unauthorized to read package %s') % '') except NotFound: abort(404, _('Dataset not found')) @@ -917,7 +911,7 @@ def _save_new(self, context, package_type=None): self._form_save_redirect(pkg_dict['name'], 'new', package_type=package_type) except NotAuthorized: - abort(401, _('Unauthorized to read package %s') % '') + abort(403, _('Unauthorized to read package %s') % '') except NotFound, e: abort(404, _('Dataset not found')) except dict_fns.DataError: @@ -965,7 +959,7 @@ def _save_edit(self, name_or_id, context, package_type=None): self._form_save_redirect(pkg['name'], 'edit', package_type=package_type) except NotAuthorized: - abort(401, _('Unauthorized to read package %s') % id) + abort(403, _('Unauthorized to read package %s') % id) except NotFound, e: abort(404, _('Dataset not found')) except dict_fns.DataError: @@ -1017,7 +1011,7 @@ def delete(self, id): c.pkg_dict = get_action('package_show')(context, {'id': id}) dataset_type = c.pkg_dict['type'] or 'dataset' except NotAuthorized: - abort(401, _('Unauthorized to delete package %s') % '') + abort(403, _('Unauthorized to delete package %s') % '') except NotFound: abort(404, _('Dataset not found')) return render('package/confirm_delete.html', @@ -1035,7 +1029,7 @@ def resource_delete(self, id, resource_id): try: check_access('package_delete', context, {'id': id}) except NotAuthorized: - abort(401, _('Unauthorized to delete package %s') % '') + abort(403, _('Unauthorized to delete package %s') % '') try: if request.method == 'POST': @@ -1046,7 +1040,7 @@ def resource_delete(self, id, resource_id): context, {'id': resource_id}) c.pkg_id = id except NotAuthorized: - abort(401, _('Unauthorized to delete resource %s') % '') + abort(403, _('Unauthorized to delete resource %s') % '') except NotFound: abort(404, _('Resource not found')) return render('package/confirm_delete_resource.html', @@ -1060,10 +1054,8 @@ def resource_read(self, id, resource_id): try: c.package = get_action('package_show')(context, {'id': id}) - except NotFound: + except (NotFound, NotAuthorized): abort(404, _('Dataset not found')) - except NotAuthorized: - abort(401, _('Unauthorized to read dataset %s') % id) for resource in c.package.get('resources', []): if resource['id'] == resource_id: @@ -1136,10 +1128,8 @@ def resource_download(self, id, resource_id, filename=None): try: rsc = get_action('resource_show')(context, {'id': resource_id}) get_action('package_show')(context, {'id': id}) - except NotFound: + except (NotFound, NotAuthorized): abort(404, _('Resource not found')) - except NotAuthorized: - abort(401, _('Unauthorized to read resource %s') % id) if rsc.get('url_type') == 'upload': upload = uploader.ResourceUpload(rsc) @@ -1215,7 +1205,7 @@ def followers(self, id=None): except NotFound: abort(404, _('Dataset not found')) except NotAuthorized: - abort(401, _('Unauthorized to read package %s') % id) + abort(403, _('Unauthorized to read package %s') % id) return render('package/followers.html', {'dataset_type': dataset_type}) @@ -1228,10 +1218,8 @@ def groups(self, id): try: c.pkg_dict = get_action('package_show')(context, data_dict) dataset_type = c.pkg_dict['type'] or 'dataset' - except NotFound: + except (NotFound, NotAuthorized): abort(404, _('Dataset not found')) - except NotAuthorized: - abort(401, _('Unauthorized to read dataset %s') % id) if request.method == 'POST': new_group = request.POST.get('group_added') @@ -1297,7 +1285,7 @@ def activity(self, id): except NotFound: abort(404, _('Dataset not found')) except NotAuthorized: - abort(401, _('Unauthorized to read dataset %s') % id) + abort(403, _('Unauthorized to read dataset %s') % id) return render('package/activity.html', {'dataset_type': dataset_type}) @@ -1324,10 +1312,8 @@ def resource_embedded_dataviewer(self, id, resource_id, raise NotFound dataset_type = c.package['type'] or 'dataset' - except NotFound: + except (NotFound, NotAuthorized): abort(404, _('Resource not found')) - except NotAuthorized: - abort(401, _('Unauthorized to read resource %s') % id) # Construct the recline state state_version = int(request.params.get('state_version', '1')) @@ -1390,15 +1376,13 @@ def resource_views(self, id, resource_id): try: check_access('package_update', context, data_dict) except NotAuthorized: - abort(401, _('User %r not authorized to edit %s') % (c.user, id)) + abort(403, _('User %r not authorized to edit %s') % (c.user, id)) # check if package exists try: c.pkg_dict = get_action('package_show')(context, data_dict) c.pkg = context['package'] - except NotFound: + except (NotFound, NotAuthorized): abort(404, _('Dataset not found')) - except NotAuthorized: - abort(401, _('Unauthorized to read dataset %s') % id) try: c.resource = get_action('resource_show')(context, @@ -1409,7 +1393,7 @@ def resource_views(self, id, resource_id): except NotFound: abort(404, _('Resource not found')) except NotAuthorized: - abort(401, _('Unauthorized to read resource %s') % id) + abort(403, _('Unauthorized to read resource %s') % id) self._setup_template_variables(context, {'id': id}, package_type=package_type) @@ -1426,23 +1410,19 @@ def edit_view(self, id, resource_id, view_id=None): try: check_access('resource_update', context, {'id': resource_id}) except NotAuthorized, e: - abort(401, _('User %r not authorized to edit %s') % (c.user, id)) + abort(403, _('User %r not authorized to edit %s') % (c.user, id)) # get resource and package data try: c.pkg_dict = get_action('package_show')(context, {'id': id}) c.pkg = context['package'] - except NotFound: + except (NotFound, NotAuthorized): abort(404, _('Dataset not found')) - except NotAuthorized: - abort(401, _('Unauthorized to read dataset %s') % id) try: c.resource = get_action('resource_show')(context, {'id': resource_id}) - except NotFound: + except (NotFound, NotAuthorized): abort(404, _('Resource not found')) - except NotAuthorized: - abort(401, _('Unauthorized to read resource %s') % id) data = {} errors = {} @@ -1477,7 +1457,7 @@ def edit_view(self, id, resource_id, view_id=None): except NotAuthorized: ## This should never happen unless the user maliciously changed ## the resource_id in the url. - abort(401, _('Unauthorized to edit resource')) + abort(403, _('Unauthorized to edit resource')) else: if not to_preview: redirect(h.url_for(controller='package', @@ -1494,10 +1474,8 @@ def edit_view(self, id, resource_id, view_id=None): ## might as well preview when loading good existing view if not errors: to_preview = True - except NotFound: + except (NotFound, NotAuthorized): abort(404, _('View not found')) - except NotAuthorized: - abort(401, _('Unauthorized to view View %s') % view_id) view_type = view_type or request.GET.get('view_type') data['view_type'] = view_type @@ -1545,18 +1523,14 @@ def resource_view(self, id, resource_id, view_id=None): try: package = get_action('package_show')(context, {'id': id}) - except NotFound: + except (NotFound, NotAuthorized): abort(404, _('Dataset not found')) - except NotAuthorized: - abort(401, _('Unauthorized to read dataset %s') % id) try: resource = get_action('resource_show')( context, {'id': resource_id}) - except NotFound: + except (NotFound, NotAuthorized): abort(404, _('Resource not found')) - except NotAuthorized: - abort(401, _('Unauthorized to read resource %s') % resource_id) view = None if request.params.get('resource_view', ''): @@ -1568,11 +1542,8 @@ def resource_view(self, id, resource_id, view_id=None): try: view = get_action('resource_view_show')( context, {'id': view_id}) - except NotFound: + except (NotFound, NotAuthorized): abort(404, _('Resource view not found')) - except NotAuthorized: - abort(401, - _('Unauthorized to read resource view %s') % view_id) if not view or not isinstance(view, dict): abort(404, _('Resource view not supplied')) @@ -1609,10 +1580,8 @@ def resource_datapreview(self, id, resource_id): preview_plugin.setup_template_variables(context, data_dict) c.resource_json = json.dumps(c.resource) dataset_type = c.package['type'] or 'dataset' - except NotFound: + except (NotFound, NotAuthorized): abort(404, _('Resource not found')) - except NotAuthorized: - abort(401, _('Unauthorized to read resource %s') % id) else: return render(preview_plugin.preview_template(context, data_dict), extra_vars={'dataset_type': dataset_type}) diff --git a/ckan/controllers/revision.py b/ckan/controllers/revision.py index b76e1bb324a..5d2b4643ce4 100644 --- a/ckan/controllers/revision.py +++ b/ckan/controllers/revision.py @@ -28,7 +28,7 @@ def __before__(self, action, **env): try: logic.check_access('site_read', context) except logic.NotAuthorized: - base.abort(401, _('Not authorized to see this page')) + base.abort(403, _('Not authorized to see this page')) def index(self): return self.list() @@ -179,7 +179,7 @@ def edit(self, id=None): if action in ['delete', 'undelete']: # this should be at a lower level (e.g. logic layer) if not c.revision_change_state_allowed: - base.abort(401) + base.abort(403) if action == 'delete': revision.state = model.State.DELETED elif action == 'undelete': diff --git a/ckan/controllers/tag.py b/ckan/controllers/tag.py index 0419d16a1c3..d6bb1055b1a 100644 --- a/ckan/controllers/tag.py +++ b/ckan/controllers/tag.py @@ -20,7 +20,7 @@ def __before__(self, action, **env): 'auth_user_obj': c.userobj} logic.check_access('site_read', context) except logic.NotAuthorized: - base.abort(401, _('Not authorized to see this page')) + base.abort(403, _('Not authorized to see this page')) def index(self): c.q = request.params.get('q', '') diff --git a/ckan/controllers/user.py b/ckan/controllers/user.py index 299c424a51c..8283265b6ec 100644 --- a/ckan/controllers/user.py +++ b/ckan/controllers/user.py @@ -43,7 +43,7 @@ def __before__(self, action, **env): check_access('site_read', context) except NotAuthorized: if c.action not in ('login', 'request_reset', 'perform_reset',): - abort(401, _('Not authorized to see this page')) + abort(403, _('Not authorized to see this page')) ## hooks for subclasses new_user_form = 'user/new_user_form.html' @@ -70,7 +70,7 @@ def _setup_template_variables(self, context, data_dict): except NotFound: abort(404, _('User not found')) except NotAuthorized: - abort(401, _('Not authorized to see this page')) + abort(403, _('Not authorized to see this page')) c.user_dict = user_dict c.is_myself = user_dict['name'] == c.user @@ -99,7 +99,7 @@ def index(self): try: check_access('user_list', context, data_dict) except NotAuthorized: - abort(401, _('Not authorized to see this page')) + abort(403, _('Not authorized to see this page')) users_list = get_action('user_list')(context, data_dict) @@ -144,7 +144,7 @@ def register(self, data=None, errors=None, error_summary=None): try: check_access('user_create', context) except NotAuthorized: - abort(401, _('Unauthorized to register as a user.')) + abort(403, _('Unauthorized to register as a user.')) return self.new(data, errors, error_summary) @@ -161,7 +161,7 @@ def new(self, data=None, errors=None, error_summary=None): try: check_access('user_create', context) except NotAuthorized: - abort(401, _('Unauthorized to create a user')) + abort(403, _('Unauthorized to create a user')) if context['save'] and not data: return self._save_new(context) @@ -193,7 +193,7 @@ def delete(self, id): h.redirect_to(user_index) except NotAuthorized: msg = _('Unauthorized to delete user with id "{user_id}".') - abort(401, msg.format(user_id=id)) + abort(403, msg.format(user_id=id)) def generate_apikey(self, id): '''Cycle the API key of a user''' @@ -212,7 +212,7 @@ def generate_apikey(self, id): try: result = get_action('user_generate_apikey')(context, data_dict) except NotAuthorized: - abort(401, _('Unauthorized to edit user %s') % '') + abort(403, _('Unauthorized to edit user %s') % '') except NotFound: abort(404, _('User not found')) @@ -227,7 +227,7 @@ def _save_new(self, context): captcha.check_recaptcha(request) user = get_action('user_create')(context, data_dict) except NotAuthorized: - abort(401, _('Unauthorized to create user %s') % '') + abort(403, _('Unauthorized to create user %s') % '') except NotFound, e: abort(404, _('User not found')) except DataError: @@ -271,7 +271,7 @@ def edit(self, id=None, data=None, errors=None, error_summary=None): try: check_access('user_update', context, data_dict) except NotAuthorized: - abort(401, _('Unauthorized to edit a user.')) + abort(403, _('Unauthorized to edit a user.')) if (context['save']) and not data: return self._save_edit(id, context) @@ -290,7 +290,7 @@ def edit(self, id=None, data=None, errors=None, error_summary=None): data = data or old_data except NotAuthorized: - abort(401, _('Unauthorized to edit user %s') % '') + abort(403, _('Unauthorized to edit user %s') % '') except NotFound: abort(404, _('User not found')) @@ -298,7 +298,7 @@ def edit(self, id=None, data=None, errors=None, error_summary=None): if not (authz.is_sysadmin(c.user) or c.user == user_obj.name): - abort(401, _('User %s not authorized to edit %s') % + abort(403, _('User %s not authorized to edit %s') % (str(c.user), id)) errors = errors or {} @@ -339,7 +339,7 @@ def _save_edit(self, id, context): h.flash_success(_('Profile updated')) h.redirect_to(controller='user', action='read', id=user['name']) except NotAuthorized: - abort(401, _('Unauthorized to edit user %s') % id) + abort(403, _('Unauthorized to edit user %s') % id) except NotFound, e: abort(404, _('User not found')) except DataError: @@ -425,7 +425,7 @@ def request_reset(self): try: check_access('request_reset', context) except NotAuthorized: - abort(401, _('Unauthorized to request reset password.')) + abort(403, _('Unauthorized to request reset password.')) if request.method == 'POST': id = request.params.get('user') @@ -480,7 +480,7 @@ def perform_reset(self, id): try: check_access('user_reset', context) except NotAuthorized: - abort(401, _('Unauthorized to reset password.')) + abort(403, _('Unauthorized to reset password.')) try: data_dict = {'id': id} @@ -544,7 +544,7 @@ def followers(self, id=None): try: c.followers = f(context, {'id': c.user_dict['id']}) except NotAuthorized: - abort(401, _('Unauthorized to view followers %s') % '') + abort(403, _('Unauthorized to view followers %s') % '') return render('user/followers.html') def activity(self, id, offset=0): @@ -558,7 +558,7 @@ def activity(self, id, offset=0): try: check_access('user_show', context, data_dict) except NotAuthorized: - abort(401, _('Not authorized to see this page')) + abort(403, _('Not authorized to see this page')) self._setup_template_variables(context, data_dict) @@ -600,11 +600,8 @@ def display_name(followee): abort(404, _('Follow item not found')) try: followee = action_function(context, data_dict) - except NotFound: + except (NotFound, NotAuthorized): abort(404, _('{0} not found').format(filter_type)) - except NotAuthorized: - abort(401, _('Unauthorized to read {0} {1}').format( - filter_type, id)) if followee is not None: return { diff --git a/ckanext/datapusher/plugin.py b/ckanext/datapusher/plugin.py index a3b678f83e6..9c2d0f70a62 100644 --- a/ckanext/datapusher/plugin.py +++ b/ckanext/datapusher/plugin.py @@ -53,10 +53,8 @@ def resource_data(self, id, resource_id): toolkit.c.resource = p.toolkit.get_action('resource_show')( None, {'id': resource_id} ) - except logic.NotFound: + except (logic.NotFound, logic.NotAuthorized): base.abort(404, _('Resource not found')) - except logic.NotAuthorized: - base.abort(401, _('Unauthorized to edit this resource')) try: datapusher_status = p.toolkit.get_action('datapusher_status')( @@ -65,7 +63,7 @@ def resource_data(self, id, resource_id): except logic.NotFound: datapusher_status = {} except logic.NotAuthorized: - base.abort(401, _('Not authorized to see this page')) + base.abort(403, _('Not authorized to see this page')) return base.render('package/resource_data.html', extra_vars={'status': datapusher_status})