# HG changeset patch # User RĂ©mi Cardona # Date 1410438122 -7200 # Node ID f6938ae0dea8e53dd70c966624e4ed73b7252fc7 # Parent c2e7fd344b90f11057d4ca1479b867c4e2fe2105 [web] Have the LoginController return 403 on failed auth (closes #11569950) diff -r c2e7fd344b90 -r f6938ae0dea8 cubicweb/web/test/unittest_views_basecontrollers.py --- a/cubicweb/web/test/unittest_views_basecontrollers.py Fri May 20 11:32:23 2016 +0200 +++ b/cubicweb/web/test/unittest_views_basecontrollers.py Thu Sep 11 14:22:02 2014 +0200 @@ -27,10 +27,11 @@ from logilab.common.testlib import unittest_main from logilab.common.decorators import monkeypatch -from cubicweb import Binary, NoSelectableObject, ValidationError +from cubicweb import Binary, NoSelectableObject, ValidationError, AuthenticationError from cubicweb.schema import RRQLExpression from cubicweb.devtools.testlib import CubicWebTC from cubicweb.devtools.webtest import CubicWebTestTC +from cubicweb.devtools.httptest import CubicWebServerTC from cubicweb.utils import json_dumps from cubicweb.uilib import rql_for_eid from cubicweb.web import Redirect, RemoteCallFailed, http_headers @@ -1085,5 +1086,23 @@ self.ctrl_publish(req, ctrl='login') self.assertEqual(req.base_url(), cm.exception.location) + +class LoginControllerHTTPTC(CubicWebServerTC): + + anonymous_allowed = True + # this TC depends on the auth mode being 'cookie' and not 'http' + # (the former being the default, so everything works) + + def test_http_error_codes_auth_fail(self): + url = 'login?__login=%s&__password=%s' % ('toto', 'pouetA') + response = self.web_request(url, 'POST') + self.assertEqual(response.status, 403) + + def test_http_error_codes_auth_succeed(self): + url = 'login?__login=%s&__password=%s' % (self.admlogin, self.admpassword) + response = self.web_request(url, 'POST') + self.assertEqual(response.status, 303) + + if __name__ == '__main__': unittest_main() diff -r c2e7fd344b90 -r f6938ae0dea8 cubicweb/web/views/basecontrollers.py --- a/cubicweb/web/views/basecontrollers.py Fri May 20 11:32:23 2016 +0200 +++ b/cubicweb/web/views/basecontrollers.py Thu Sep 11 14:22:02 2014 +0200 @@ -25,6 +25,7 @@ from warnings import warn from six import text_type +from six.moves import http_client from logilab.common.deprecation import deprecated @@ -85,6 +86,7 @@ raise AuthenticationError() else: # Cookie authentication + self._cw.status_out = http_client.FORBIDDEN return self.appli.need_login_content(self._cw) class LoginControllerForAuthed(Controller):