Authenticate before Authorization

When user is not logged in and given Dashboard has some `permissions` defined, `require_perms` decorator was raising `NotAuthorized('You are not authorized to access %s')` instead of `NotAuthenticated('Please log in to continue.')`. This was caused by the order of decorating the views. The decorator which is applied last is called first in the chain as it wraps the decorators which were applied before. This means that to check for authentication before checking permissions we need to apply the `require_auth` decorator after `require_perms`. Closes-Bug: 1869708 Change-Id: I94d3fa5c1472bb72c9111cab14c6e05180f88589 (cherry picked from commit e4fd69292c)
2020-03-12 21:50:49 +01:00 · 2020-03-12 21:50:49 +01:00 · d523376c91
parent 5b8f7548c5
commit d523376c91
1 changed files with 3 additions and 3 deletions
--- a/horizon/base.py
+++ b/horizon/base.py
@ -564,13 +564,13 @@ class Dashboard(Registry, HorizonComponent):
        urlpatterns.append(
            url(r'', _wrapped_include(default_panel._decorated_urls)))

-        # Require login if not public.
-        if not self.public:
-            _decorate_urlconf(urlpatterns, require_auth)
        # Apply access controls to all views in the patterns
        permissions = getattr(self, 'permissions', [])
        _decorate_urlconf(urlpatterns, require_perms, permissions)
        _decorate_urlconf(urlpatterns, _current_component, dashboard=self)
+        # Require login if not public.
+        if not self.public:
+            _decorate_urlconf(urlpatterns, require_auth)

        # Return the three arguments to django.conf.urls.include
        return urlpatterns, self.slug, self.slug