From e4fd69292c4a8340eba33f5c9d516796472e9269 Mon Sep 17 00:00:00 2001 From: Jacek Tomasiak Date: Thu, 12 Mar 2020 21:50:49 +0100 Subject: [PATCH] Authenticate before Authorization When user is not logged in and given Dashboard has some `permissions` defined, `require_perms` decorator was raising `NotAuthorized('You are not authorized to access %s')` instead of `NotAuthenticated('Please log in to continue.')`. This was caused by the order of decorating the views. The decorator which is applied last is called first in the chain as it wraps the decorators which were applied before. This means that to check for authentication before checking permissions we need to apply the `require_auth` decorator after `require_perms`. Closes-Bug: 1869708 Change-Id: I94d3fa5c1472bb72c9111cab14c6e05180f88589 --- horizon/base.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/horizon/base.py b/horizon/base.py index e972732046..4e1240339e 100644 --- a/horizon/base.py +++ b/horizon/base.py @@ -561,13 +561,13 @@ class Dashboard(Registry, HorizonComponent): urlpatterns.append( url(r'', _wrapped_include(default_panel._decorated_urls))) - # Require login if not public. - if not self.public: - _decorate_urlconf(urlpatterns, require_auth) # Apply access controls to all views in the patterns permissions = getattr(self, 'permissions', []) _decorate_urlconf(urlpatterns, require_perms, permissions) _decorate_urlconf(urlpatterns, _current_component, dashboard=self) + # Require login if not public. + if not self.public: + _decorate_urlconf(urlpatterns, require_auth) # Return the three arguments to django.conf.urls.include return urlpatterns, self.slug, self.slug