From a0535390b93d59ef77b96431df732e74240236a0 Mon Sep 17 00:00:00 2001 From: Chris McDonough Date: Wed, 19 Jan 2011 02:06:36 -0500 Subject: - When a ``pyramid.exceptions.Forbidden`` error is raised, its status code now ``403 Forbidden``. It was previously ``401 Unauthorized``, for backwards compatibility purposes with ``repoze.bfg``. This change will cause problems for users of Pyramid with ``repoze.who``, which intercepts ``401 Unauthorized`` by default, but allows ``403 Forbidden`` to pass through. Those deployments will need to configure ``repoze.who`` to also react to ``403 Forbidden``. --- CHANGES.txt | 11 +++++++++++ TODO.txt | 3 --- docs/narr/hooks.rst | 8 +------- pyramid/exceptions.py | 4 ++-- pyramid/tests/test_exceptions.py | 2 +- pyramid/tests/test_integration.py | 8 ++++---- 6 files changed, 19 insertions(+), 17 deletions(-) diff --git a/CHANGES.txt b/CHANGES.txt index 5142c3380..11bcaadb5 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -7,6 +7,17 @@ Documentation - Merged caseman-master narrative editing branch, many wording fixes and extensions. +Backwards Incompatibilities +--------------------------- + +- When a ``pyramid.exceptions.Forbidden`` error is raised, its status code + now ``403 Forbidden``. It was previously ``401 Unauthorized``, for + backwards compatibility purposes with ``repoze.bfg``. This change will + cause problems for users of Pyramid with ``repoze.who``, which intercepts + ``401 Unauthorized`` by default, but allows ``403 Forbidden`` to pass + through. Those deployments will need to configure ``repoze.who`` to also + react to ``403 Forbidden``. + 1.0a10 (2011-01-18) =================== diff --git a/TODO.txt b/TODO.txt index bcc7ae2e3..12eed59da 100644 --- a/TODO.txt +++ b/TODO.txt @@ -18,9 +18,6 @@ Must-Have (before 1.0) - Explain how to use i18n localization in Mako and Jinja2. -- Turn Forbidden status code into a 403 (it's currently a 401, which is for - bw compat, but is misleading). - - Fix too-long template lines in tutorials for PDF renderings. - Allow ``pyramid.security.remember`` to accept a list of tokens for use when diff --git a/docs/narr/hooks.rst b/docs/narr/hooks.rst index 6b1522846..b3b41046f 100644 --- a/docs/narr/hooks.rst +++ b/docs/narr/hooks.rst @@ -80,7 +80,7 @@ Changing the Forbidden View When :app:`Pyramid` can't authorize execution of a view based on the :term:`authorization policy` in use, it invokes a :term:`forbidden view`. -The default forbidden response has a 401 status code and is very plain, but +The default forbidden response has a 403 status code and is very plain, but the view which generates it can be overridden as necessary. The :term:`forbidden view` callable is a view callable like any other. The @@ -129,12 +129,6 @@ Here's some sample code that implements a minimal forbidden view: ``debug_authorization`` environment setting is true than it is when it is false. -.. warning:: the default forbidden view sends a response with a ``401 - Unauthorized`` status code for backwards compatibility reasons. - You can influence the status code of Forbidden responses by using - an alternate forbidden view. For example, it would make sense to - return a response with a ``403 Forbidden`` status code. - .. index:: single: request factory diff --git a/pyramid/exceptions.py b/pyramid/exceptions.py index a3a71cf61..bcfc4ba5e 100644 --- a/pyramid/exceptions.py +++ b/pyramid/exceptions.py @@ -40,7 +40,7 @@ class Forbidden(ExceptionResponse): """ Raise this exception within :term:`view` code to immediately return the :term:`forbidden view` to the invoking user. Usually - this is a basic ``401`` page, but the forbidden view can be + this is a basic ``403`` page, but the forbidden view can be customized as necessary. See :ref:`changing_the_forbidden_view`. This exception's constructor accepts a single positional argument, which @@ -48,7 +48,7 @@ class Forbidden(ExceptionResponse): request by the router as the ``exception_message`` attribute, for availability to the :term:`Forbidden View`. """ - status = '401 Unauthorized' + status = '403 Forbidden' class NotFound(ExceptionResponse): """ diff --git a/pyramid/tests/test_exceptions.py b/pyramid/tests/test_exceptions.py index f17f19336..15eaa8698 100644 --- a/pyramid/tests/test_exceptions.py +++ b/pyramid/tests/test_exceptions.py @@ -42,4 +42,4 @@ class TestForbidden(unittest.TestCase): from pyramid.exceptions import ExceptionResponse e = self._makeOne('unauthorized') self.failUnless(isinstance(e, ExceptionResponse)) - self.assertEqual(e.status, '401 Unauthorized') + self.assertEqual(e.status, '403 Forbidden') diff --git a/pyramid/tests/test_integration.py b/pyramid/tests/test_integration.py index 5b1e137d7..2f010dc77 100644 --- a/pyramid/tests/test_integration.py +++ b/pyramid/tests/test_integration.py @@ -100,7 +100,7 @@ class TestFixtureApp(IntegrationBase): self.assertEqual(res.body, 'supressed') def test_protected(self): - self.testapp.get('/protected.html', status=401) + self.testapp.get('/protected.html', status=403) class TestCCBug(IntegrationBase): # "unordered" as reported in IRC by author of @@ -191,17 +191,17 @@ class TestViewPermissionBug(IntegrationBase): self.failUnless('ACLDenied' in res.body) def test_x(self): - self.testapp.get('/x', status=401) + self.testapp.get('/x', status=403) class TestDefaultViewPermissionBug(IntegrationBase): # default_view_permission bug as reported by Wiggy at http://lists.repoze.org/pipermail/repoze-dev/2010-October/003602.html package = 'pyramid.tests.defpermbugapp' def test_x(self): - res = self.testapp.get('/x', status=401) + res = self.testapp.get('/x', status=403) self.failUnless('failed permission check' in res.body) def test_y(self): - res = self.testapp.get('/y', status=401) + res = self.testapp.get('/y', status=403) self.failUnless('failed permission check' in res.body) def test_z(self): -- cgit v1.2.3