Change response code for unauthorized access from 403 to 401
This commit is contained in:
Garret Alfert
parent
3dd79e28d3
commit
ba3f5db598
@ -29,12 +29,12 @@ module RemoteStorage
|
||||
authorizations = auth_bucket.get("#{user}:#{token}").data
|
||||
permission = directory_permission(authorizations, directory)
|
||||
|
||||
server.halt 403 unless permission
|
||||
server.halt 401 unless permission
|
||||
if ["PUT", "DELETE"].include? request_method
|
||||
server.halt 403 unless permission == "rw"
|
||||
server.halt 401 unless permission == "rw"
|
||||
end
|
||||
rescue ::Riak::HTTPFailedRequest
|
||||
server.halt 403
|
||||
server.halt 401
|
||||
end
|
||||
|
||||
def get_data(user, directory, key)
|
||||
|
||||
@ -376,13 +376,13 @@ describe "Directories" do
|
||||
it "does not allow a directory listing of the public root" do
|
||||
get "/jimmy/public/"
|
||||
|
||||
last_response.status.must_equal 403
|
||||
last_response.status.must_equal 401
|
||||
end
|
||||
|
||||
it "does not allow a directory listing of a sub-directory" do
|
||||
get "/jimmy/public/bookmarks/"
|
||||
|
||||
last_response.status.must_equal 403
|
||||
last_response.status.must_equal 401
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
@ -79,10 +79,10 @@ describe "Permissions" do
|
||||
end
|
||||
|
||||
context "when not authorized" do
|
||||
it "returns a 403 for a key in a top-level directory" do
|
||||
it "returns a 401 for a key in a top-level directory" do
|
||||
get "/jimmy/confidential/bar"
|
||||
|
||||
last_response.status.must_equal 403
|
||||
last_response.status.must_equal 401
|
||||
end
|
||||
end
|
||||
end
|
||||
@ -105,10 +105,10 @@ describe "Permissions" do
|
||||
data_bucket.get("jimmy:contacts:1").data.must_equal "John Doe"
|
||||
end
|
||||
|
||||
it "returns a 403 when there are read permissions only" do
|
||||
it "returns a 401 when there are read permissions only" do
|
||||
put "/jimmy/documents/foo", "some text"
|
||||
|
||||
last_response.status.must_equal 403
|
||||
last_response.status.must_equal 401
|
||||
end
|
||||
end
|
||||
|
||||
@ -127,10 +127,10 @@ describe "Permissions" do
|
||||
data_bucket.get("jimmy:contacts/family:1").data.must_equal "Bobby Brother"
|
||||
end
|
||||
|
||||
it "returns a 403 when there are read permissions only" do
|
||||
it "returns a 401 when there are read permissions only" do
|
||||
put "/jimmy/documents/business/1", "some text"
|
||||
|
||||
last_response.status.must_equal 403
|
||||
last_response.status.must_equal 401
|
||||
end
|
||||
end
|
||||
|
||||
@ -152,10 +152,10 @@ describe "Permissions" do
|
||||
end
|
||||
|
||||
context "when not authorized for the corresponding category" do
|
||||
it "returns a 403" do
|
||||
it "returns a 401" do
|
||||
put "/jimmy/public/documents/foo", "Foo Bar"
|
||||
|
||||
last_response.status.must_equal 403
|
||||
last_response.status.must_equal 401
|
||||
end
|
||||
end
|
||||
end
|
||||
@ -233,16 +233,16 @@ describe "Permissions" do
|
||||
object.store
|
||||
end
|
||||
|
||||
it "returns a 403 for a key in a top-level directory" do
|
||||
it "returns a 401 for a key in a top-level directory" do
|
||||
delete "/jimmy/documents/private"
|
||||
|
||||
last_response.status.must_equal 403
|
||||
last_response.status.must_equal 401
|
||||
end
|
||||
|
||||
it "returns a 403 for a key in a sub-directory" do
|
||||
it "returns a 401 for a key in a sub-directory" do
|
||||
delete "/jimmy/documents/business/foo"
|
||||
|
||||
last_response.status.must_equal 403
|
||||
last_response.status.must_equal 401
|
||||
end
|
||||
|
||||
context "public directory" do
|
||||
@ -253,10 +253,10 @@ describe "Permissions" do
|
||||
object.store
|
||||
end
|
||||
|
||||
it "returns a 403" do
|
||||
it "returns a 401" do
|
||||
delete "/jimmy/public/documents/foo"
|
||||
|
||||
last_response.status.must_equal 403
|
||||
last_response.status.must_equal 401
|
||||
end
|
||||
end
|
||||
end
|
||||
@ -385,13 +385,13 @@ describe "Permissions" do
|
||||
it "disallows PUT requests" do
|
||||
put "/jimmy/documents/foo", "some text"
|
||||
|
||||
last_response.status.must_equal 403
|
||||
last_response.status.must_equal 401
|
||||
end
|
||||
|
||||
it "disallows DELETE requests" do
|
||||
delete "/jimmy/documents/very/interesting/text"
|
||||
|
||||
last_response.status.must_equal 403
|
||||
last_response.status.must_equal 401
|
||||
end
|
||||
|
||||
context "public directory" do
|
||||
@ -411,13 +411,13 @@ describe "Permissions" do
|
||||
it "disallows PUT requests" do
|
||||
put "/jimmy/public/tasks/foo", "some text"
|
||||
|
||||
last_response.status.must_equal 403
|
||||
last_response.status.must_equal 401
|
||||
end
|
||||
|
||||
it "disallows DELETE requests" do
|
||||
delete "/jimmy/public/tasks/hello"
|
||||
|
||||
last_response.status.must_equal 403
|
||||
last_response.status.must_equal 401
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
@ -632,26 +632,26 @@ describe "App with Riak backend" do
|
||||
end
|
||||
|
||||
describe "GET" do
|
||||
it "returns a 403" do
|
||||
it "returns a 401" do
|
||||
get "/jimmy/documents/foo"
|
||||
|
||||
last_response.status.must_equal 403
|
||||
last_response.status.must_equal 401
|
||||
end
|
||||
end
|
||||
|
||||
describe "PUT" do
|
||||
it "returns a 403" do
|
||||
it "returns a 401" do
|
||||
put "/jimmy/documents/foo", "some text"
|
||||
|
||||
last_response.status.must_equal 403
|
||||
last_response.status.must_equal 401
|
||||
end
|
||||
end
|
||||
|
||||
describe "DELETE" do
|
||||
it "returns a 403" do
|
||||
it "returns a 401" do
|
||||
delete "/jimmy/documents/foo"
|
||||
|
||||
last_response.status.must_equal 403
|
||||
last_response.status.must_equal 401
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user