4a4142e9b8
When a user is not authorized to see a given resource, we need to
convert HTTP 403s into HTTP 404s to avoid giving away information
that the resource exists. However, the previous code was being
overaggressive and doing this conversion even in some cases where
the user is allowed to see the resource and really needs to know
that what they were trying to do is forbidden, not be told that the
resource doesn't exist. This fixes that logic to only do the 403
to 404 conversion when truly appropriate.
Change-Id: I7a5b0a9e89c8a71490dd74497794a52489f46cd2
Closes-Bug: 1682621
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| __init__.py | ||
| attributes.py | ||
| base.py | ||
| resource.py | ||
| resource_helper.py | ||
| router.py | ||