Return 403 instead of 401 HTTP Response

401 Unauthorized is the HTTP status code used for authentication errors for eg. Missing or Bad Authentication. 403 Forbidden response is used for denying permission to access resources for a correctly authenticated user. This fix corrects the mistake in the api. Change-Id: I0903b226cfe32a7aed69d265a27ca21d7cc9b98e Closes-Bug:1477013
2015-10-22 04:19:36 +05:30 · 2015-10-22 04:19:36 +05:30 · 1ca86fd418
parent bfdcab1170
commit 1ca86fd418
4 changed files with 17 additions and 15 deletions
--- a/doc/source/specification/murano-api.rst
+++ b/doc/source/specification/murano-api.rst
@ -82,7 +82,7 @@ Environment API
 +================+===========================================================+
 | 200            | Operation completed successfully                          |
 +----------------+-----------------------------------------------------------+
-| 401            | User is not authorized to perform the operation           |
+| 403            | User is not authorized to perform the operation           |
 +----------------+-----------------------------------------------------------+

 List environments
@ -223,7 +223,7 @@ Update environment
 | 400            | Environment name must contain only alphanumeric or '_-.'  |
 |                | characters, must start with alpha                         |
 +----------------+-----------------------------------------------------------+
-| 401            | User is not authorized to access environment              |
+| 403            | User is not authorized to access environment              |
 +----------------+-----------------------------------------------------------+
 | 404            | Environment not found                                     |
 +----------------+-----------------------------------------------------------+
--- a/murano/api/v1/templates.py
+++ b/murano/api/v1/templates.py
@ -18,7 +18,7 @@ from webob import exc

 from murano.api.v1 import environments as envs_api
 from murano.api.v1 import request_statistics
-from murano.common.i18n import _, _LE
+from murano.common.i18n import _
 from murano.common import policy
 from murano.common import utils
 from murano.common import wsgi
@ -226,9 +226,9 @@ class Controller(object):
        get_env_template = env_temps.EnvTemplateServices.get_env_template
        env_template = get_env_template(env_template_id)
        if env_template.tenant_id != request.context.tenant:
-            LOG.exception(_LE('User is not authorized to access this tenant '
-                              'resources.'))
-            raise exc.HTTPUnauthorized
+            msg = _('User is not authorized to access this tenant resources')
+            LOG.error(msg)
+            raise exc.HTTPForbidden(explanation=msg)


 def create_resource():
--- a/murano/tests/functional/api/v1/test_env_templates.py
+++ b/murano/tests/functional/api/v1/test_env_templates.py
@ -184,7 +184,7 @@ class TestEnvTemplatesTenantIsolation(base.NegativeTestCase):
        """
        env_template = self.create_env_template('test_env_temp')

-        self.assertRaises(exceptions.Unauthorized,
+        self.assertRaises(exceptions.Forbidden,
                          self.alt_client.get_env_template, env_template['id'])

        self.client.delete_env_template(env_template['id'])
@ -197,7 +197,7 @@ class TestEnvTemplatesTenantIsolation(base.NegativeTestCase):
        """
        env_template = self.create_env_template('test_env_temp')

-        self.assertRaises(exceptions.Unauthorized,
+        self.assertRaises(exceptions.Forbidden,
                          self.alt_client.delete_env_template,
                          env_template['id'])
        self.client.delete_env_template(env_template['id'])
--- a/murano/utils.py
+++ b/murano/utils.py
@ -17,7 +17,7 @@ import functools
 from oslo_log import log as logging
 from webob import exc

-from murano.common.i18n import _, _LE
+from murano.common.i18n import _
 from murano.db import models
 from murano.db.services import sessions
 from murano.db import session as db_session
@ -76,15 +76,17 @@ def verify_env_template(func):
        unit = db_session.get_session()
        template = unit.query(models.EnvironmentTemplate).get(env_template_id)
        if template is None:
-            LOG.error(_LE("Environment Template with id '{id}' not found").
-                      format(id=env_template_id))
-            raise exc.HTTPNotFound()
+            msg = _('Environment Template with id {id} not found'
+                    ).format(id=env_template_id)
+            LOG.error(msg)
+            raise exc.HTTPNotFound(explanation=msg)

        if hasattr(request, 'context'):
            if template.tenant_id != request.context.tenant:
-                LOG.error(_LE('User is not authorized to access '
-                              'this tenant resources'))
-                raise exc.HTTPUnauthorized()
+                msg = _('User is not authorized to access'
+                        ' this tenant resources')
+                LOG.error(msg)
+                raise exc.HTTPForbidden(explanation=msg)

        return func(self, request, env_template_id, *args, **kwargs)
    return __inner