Returns 401 when unauthorized project access occurs
Throwing wsme based exceptions out of non-wsme context causes api server to return 500 since the exception goes uncaught. Instead return http response with error code 401 to return to client safely Change-Id: Ifb753581e392ea7961b976bc97ee2348feb6825c Closes-Bug: 1365770
This commit is contained in:
parent
fcc6b0de4e
commit
e3fb64b2a0
@ -2305,7 +2305,11 @@ def requires_admin(func):
|
|||||||
usr_limit, proj_limit = acl.get_limited_to(pecan.request.headers)
|
usr_limit, proj_limit = acl.get_limited_to(pecan.request.headers)
|
||||||
# If User and Project are None, you have full access.
|
# If User and Project are None, you have full access.
|
||||||
if usr_limit and proj_limit:
|
if usr_limit and proj_limit:
|
||||||
raise ProjectNotAuthorized(proj_limit)
|
# since this decorator get's called out of wsme context
|
||||||
|
# raising exception results internal error so call abort
|
||||||
|
# for handling the error
|
||||||
|
ex = ProjectNotAuthorized(proj_limit)
|
||||||
|
pecan.core.abort(status_code=ex.code, detail=ex.msg)
|
||||||
return func(*args, **kwargs)
|
return func(*args, **kwargs)
|
||||||
|
|
||||||
return wrapped
|
return wrapped
|
||||||
|
@ -23,7 +23,6 @@ from oslo.utils import timeutils
|
|||||||
import webtest
|
import webtest
|
||||||
|
|
||||||
from ceilometer.api import app
|
from ceilometer.api import app
|
||||||
from ceilometer.api.controllers import v2 as v2_api
|
|
||||||
from ceilometer.publisher import utils
|
from ceilometer.publisher import utils
|
||||||
from ceilometer import sample
|
from ceilometer import sample
|
||||||
from ceilometer.tests import api as acl
|
from ceilometer.tests import api as acl
|
||||||
@ -209,23 +208,8 @@ class TestAPIACL(v2.FunctionalTest,
|
|||||||
self.assertEqual(401, data.status_int)
|
self.assertEqual(401, data.status_int)
|
||||||
|
|
||||||
def test_non_admin_get_events(self):
|
def test_non_admin_get_events(self):
|
||||||
|
data = self.get_json('/event_types', expect_errors=True,
|
||||||
# NOTE(herndon): wsme does not handle the error that is being
|
|
||||||
# raised in by requires_admin dues to the decorator ordering. wsme
|
|
||||||
# does not play nice with other decorators, and so requires_admin
|
|
||||||
# must call wsme.wsexpose, and not the other way arou. The
|
|
||||||
# implication is that I can't look at the status code in the
|
|
||||||
# return value. Work around is to catch the exception here and
|
|
||||||
# verify that the status code is correct.
|
|
||||||
|
|
||||||
try:
|
|
||||||
# Intentionally *not* using assertRaises here so I can look
|
|
||||||
# at the status code of the exception.
|
|
||||||
self.get_json('/event_types', expect_errors=True,
|
|
||||||
headers={"X-Roles": "Member",
|
headers={"X-Roles": "Member",
|
||||||
"X-Auth-Token": VALID_TOKEN2,
|
"X-Auth-Token": VALID_TOKEN2,
|
||||||
"X-Project-Id": "project-good"})
|
"X-Project-Id": "project-good"})
|
||||||
except v2_api.ClientSideError as ex:
|
self.assertEqual(401, data.status_int)
|
||||||
self.assertEqual(401, ex.code)
|
|
||||||
else:
|
|
||||||
self.fail()
|
|
||||||
|
Loading…
Reference in New Issue
Block a user