# HG changeset patch # User Filip de Waard # Date 1292603925 -3600 # Node ID f9575bd432937270955299e3ad25997bd36bc25b # Parent 894dcbd1dec6b6251da2db6ad691a7f069d60cb4 fixed authorization decorator to return 403 status instead of 401 diff -r 894dcbd1dec6b6251da2db6ad691a7f069d60cb4 -r f9575bd432937270955299e3ad25997bd36bc25b vix/lib/decorators.py --- a/vix/lib/decorators.py Sat Dec 11 23:16:04 2010 +0100 +++ b/vix/lib/decorators.py Fri Dec 17 17:38:45 2010 +0100 @@ -68,7 +68,7 @@ def authorize(database, feed, action): """Decorator that adds authorization to a controller method. - Calls abort(401) if an error occurs. + Calls abort(403) if an error occurs. :param database: Database name, :param feed: Name of the feed to authorize for (or '*' for a global @@ -99,7 +99,7 @@ abort(401, 'Correct HTTP Base authentication header required.') if not auth.authorize(username, database, feed, action): - abort(401, 'Insufficient privileges to perform action.') + abort(403, 'Insufficient privileges to perform action.') return func(self, *args, **kwargs) diff -r 894dcbd1dec6b6251da2db6ad691a7f069d60cb4 -r f9575bd432937270955299e3ad25997bd36bc25b vix/tests/functional/test_feed.py --- a/vix/tests/functional/test_feed.py Sat Dec 11 23:16:04 2010 +0100 +++ b/vix/tests/functional/test_feed.py Fri Dec 17 17:38:45 2010 +0100 @@ -45,7 +45,7 @@ authentication = 'Basic %s' % (base64.b64encode('wmf:@!^%$&*()_+@:')) response = self.app.post(url(controller='feed', action='create'), headers={'Authorization': authentication}, - status=401) + status=403) #add another unauthorized user p = bcrypt.hashpw(u'@!^%$&*()_+@:', bcrypt.gensalt()) @@ -60,8 +60,7 @@ authentication = 'Basic %s' % (base64.b64encode('fmw_:@!^%$&*()_+@:')) response = self.app.post(url(controller='feed', action='create'), headers={'Authorization': authentication}, - status=401) - + status=403) def test_create_enforce_post(self): """Make sure that the Feed 'create' method only responds to 'POST'"""