[web] Have the LoginController return 403 on failed auth (closes #11569950)
authorRémi Cardona <remi.cardona@logilab.fr>
Thu, 11 Sep 2014 14:22:02 +0200
changeset 11268 f6938ae0dea8
parent 11267 c2e7fd344b90
child 11269 73ac69970047
[web] Have the LoginController return 403 on failed auth (closes #11569950)
cubicweb/web/test/unittest_views_basecontrollers.py
cubicweb/web/views/basecontrollers.py
--- a/cubicweb/web/test/unittest_views_basecontrollers.py	Fri May 20 11:32:23 2016 +0200
+++ b/cubicweb/web/test/unittest_views_basecontrollers.py	Thu Sep 11 14:22:02 2014 +0200
@@ -27,10 +27,11 @@
 from logilab.common.testlib import unittest_main
 from logilab.common.decorators import monkeypatch
 
-from cubicweb import Binary, NoSelectableObject, ValidationError
+from cubicweb import Binary, NoSelectableObject, ValidationError, AuthenticationError
 from cubicweb.schema import RRQLExpression
 from cubicweb.devtools.testlib import CubicWebTC
 from cubicweb.devtools.webtest import CubicWebTestTC
+from cubicweb.devtools.httptest import CubicWebServerTC
 from cubicweb.utils import json_dumps
 from cubicweb.uilib import rql_for_eid
 from cubicweb.web import Redirect, RemoteCallFailed, http_headers
@@ -1085,5 +1086,23 @@
                 self.ctrl_publish(req, ctrl='login')
             self.assertEqual(req.base_url(), cm.exception.location)
 
+
+class LoginControllerHTTPTC(CubicWebServerTC):
+
+    anonymous_allowed = True
+    # this TC depends on the auth mode being 'cookie' and not 'http'
+    # (the former being the default, so everything works)
+
+    def test_http_error_codes_auth_fail(self):
+        url = 'login?__login=%s&__password=%s' % ('toto', 'pouetA')
+        response = self.web_request(url, 'POST')
+        self.assertEqual(response.status, 403)
+
+    def test_http_error_codes_auth_succeed(self):
+        url = 'login?__login=%s&__password=%s' % (self.admlogin, self.admpassword)
+        response = self.web_request(url, 'POST')
+        self.assertEqual(response.status, 303)
+
+
 if __name__ == '__main__':
     unittest_main()
--- a/cubicweb/web/views/basecontrollers.py	Fri May 20 11:32:23 2016 +0200
+++ b/cubicweb/web/views/basecontrollers.py	Thu Sep 11 14:22:02 2014 +0200
@@ -25,6 +25,7 @@
 from warnings import warn
 
 from six import text_type
+from six.moves import http_client
 
 from logilab.common.deprecation import deprecated
 
@@ -85,6 +86,7 @@
             raise AuthenticationError()
         else:
             # Cookie authentication
+            self._cw.status_out = http_client.FORBIDDEN
             return self.appli.need_login_content(self._cw)
 
 class LoginControllerForAuthed(Controller):