Use the 403 Forbidden result in case the user is unauthorized

The difference between 401 Unauthorized and 403 Forbidden is that 403 Forbidden is "permanent": it indicates that the user was authenticated correctly, but was not allowed to access this endpoint. In contrast, 401 Unauthorized means that the request as posted was not allowed, but if the user were to try again with (new) authorization tokens, it might actually succeed. Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
2026-05-12 10:57:58 +08:00 · 2017-03-13 07:26:30 +00:00
parent 7cf77d0fee
commit a4763ee316
4 changed files with 21 additions and 21 deletions
--- a/module_build_service/views.py
+++ b/module_build_service/views.py
@@ -37,7 +37,7 @@ from module_build_service.utils import (
    pagination_metadata, filter_module_builds, submit_module_build_from_scm,
    submit_module_build_from_yaml, scm_url_schemes, get_scm_url_re, validate_optional_params)
 from module_build_service.errors import (
-    ValidationError, Unauthorized, NotFound)
+    ValidationError, Forbidden, NotFound)

 api_v1 = {
    'module_builds': {
@@ -98,7 +98,7 @@ class ModuleBuildAPI(MethodView):
        username, groups = module_build_service.auth.get_user(request)

        if conf.allowed_groups and not (conf.allowed_groups & groups):
-            raise Unauthorized("%s is not in any of  %r, only %r" % (
+            raise Forbidden("%s is not in any of  %r, only %r" % (
                username, conf.allowed_groups, groups))

        kwargs = {"username": username}
@@ -121,11 +121,11 @@ class ModuleBuildAPI(MethodView):
        url = r["scmurl"]
        if not any(url.startswith(prefix) for prefix in conf.scmurls):
            log.error("The submitted scmurl %r is not allowed" % url)
-            raise Unauthorized("The submitted scmurl %s is not allowed" % url)
+            raise Forbidden("The submitted scmurl %s is not allowed" % url)

        if not get_scm_url_re().match(url):
            log.error("The submitted scmurl %r is not valid" % url)
-            raise Unauthorized("The submitted scmurl %s is not valid" % url)
+            raise Forbidden("The submitted scmurl %s is not valid" % url)

        if "branch" not in r:
            log.error('Missing branch')
@@ -139,7 +139,7 @@ class ModuleBuildAPI(MethodView):

    def post_file(self, username):
        if not conf.yaml_submit_allowed:
-            raise Unauthorized("YAML submission is not enabled")
+            raise Forbidden("YAML submission is not enabled")
        validate_optional_params(request.form)

        try:
@@ -154,7 +154,7 @@ class ModuleBuildAPI(MethodView):
        username, groups = module_build_service.auth.get_user(request)

        if conf.allowed_groups and not (conf.allowed_groups & groups):
-            raise Unauthorized("%s is not in any of  %r, only %r" % (
+            raise Forbidden("%s is not in any of  %r, only %r" % (
                username, conf.allowed_groups, groups))

        module = models.ModuleBuild.query.filter_by(id=id).first()
@@ -162,8 +162,8 @@ class ModuleBuildAPI(MethodView):
            raise NotFound('No such module found.')

        if module.owner != username:
-            raise Unauthorized('You are not owner of this build and '
-                               'therefore cannot modify it.')
+            raise Forbidden('You are not owner of this build and '
+                            'therefore cannot modify it.')

        try:
            r = json.loads(request.get_data().decode("utf-8"))