Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unauthorized() overrides www_authenticate=None #1516

Closed
billyrrr opened this issue Apr 19, 2019 · 0 comments

Comments

Projects
None yet
2 participants
@billyrrr
Copy link
Contributor

commented Apr 19, 2019

Unauthorized in werkzeug==0.15.2

class Unauthorized(HTTPException):
    """*401* ``Unauthorized``

    Raise if the user is not authorized to access a resource.

    The ``www_authenticate`` argument should be used to set the
    ``WWW-Authenticate`` header. This is used for HTTP basic auth and
    other schemes. Use :class:`~werkzeug.datastructures.WWWAuthenticate`
    to create correctly formatted values. Strictly speaking a 401
    response is invalid if it doesn't provide at least one value for
    this header, although real clients typically don't care.

    :param description: Override the default message used for the body
        of the response.
    :param www-authenticate: A single value, or list of values, for the
        WWW-Authenticate header.

    .. versionchanged:: 0.15.1
        ``description`` was moved back as the first argument, restoring
         its previous position.

    .. versionchanged:: 0.15.0
        ``www_authenticate`` was added as the first argument, ahead of
        ``description``.
    """

    code = 401
    description = (
        "The server could not verify that you are authorized to access"
        " the URL requested. You either supplied the wrong credentials"
        " (e.g. a bad password), or your browser doesn't understand"
        " how to supply the credentials required."
    )

    def __init__(self, description=None, www_authenticate=None):
        HTTPException.__init__(self, description)
        if not isinstance(www_authenticate, (tuple, list)):
            www_authenticate = (www_authenticate,)
        self.www_authenticate = www_authenticate

    def get_headers(self, environ=None):
        headers = HTTPException.get_headers(self, environ)
        if self.www_authenticate:
            headers.append(
                ("WWW-Authenticate", ", ".join([str(x) for x in self.www_authenticate]))
            )
        return headers

When www_authenticate=None, self.www_authenticate will still be overridden and initialized.

Unauthorized in werkzeug==0.14.1

class Unauthorized(HTTPException):

    """*401* `Unauthorized`
    Raise if the user is not authorized.  Also used if you want to use HTTP
    basic auth.
    """
    code = 401
    description = (
        'The server could not verify that you are authorized to access '
        'the URL requested.  You either supplied the wrong credentials (e.g. '
        'a bad password), or your browser doesn\'t understand how to supply '
        'the credentials required.'
    )

billyrrr added a commit to billyrrr/werkzeug that referenced this issue Apr 19, 2019

@davidism davidism added this to the 0.15.3 milestone May 8, 2019

davidism added a commit that referenced this issue May 12, 2019

Merge pull request #1517 from billyrrr/fix/unauthorized-init
Fix #1516 initialization of Unauthorized with www_authenticate=None

@davidism davidism closed this May 12, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.