launchpad-reviewers team mailing list archive

[Leonard Richardson <leonard.richardson@xxxxxxxxxxxxx>]

Leonard Richardson has proposed merging lp:~leonardr/launchpad/bug-271029 into lp:launchpad with lp:~leonardr/launchpad/bug-106338 as a prerequisite.

Requested reviews:
  Launchpad code reviewers (launchpad-reviewers)

For more details, see:
https://code.launchpad.net/~leonardr/launchpad/bug-271029/+merge/52423

This branch builds on my fix to bug 106338, and fixes bug 271029 in the same way. I 'slam' the 401 error code onto the Unauthorized and ForbiddenAttribute exceptions, so that whenever they occur in a web service context, the result is a 401 response code instead of an OOPS.

This code is not as straightforward as it may appear. For one thing, the Unauthorized bit may not be necessary. We have a special lookup in lazr.restful that maps Zope's Unauthorized exception to a 401 response code. So I may take that out.

Second, it's not absolutely guaranteed that ForbiddenAttribute means 401. As seen in 267888, it might mean 400, when the user tries to modify a read-only field. Bug 267888 was a very early lazr.restful bug, and it was fixed by adding checks in lazr.restful for attempts to modify a read-only field, but in theory it could still happen if a read-only field is explicitly published through the web service as read-write.
-- 
https://code.launchpad.net/~leonardr/launchpad/bug-271029/+merge/52423
Your team Launchpad code reviewers is requested to review the proposed merge of lp:~leonardr/launchpad/bug-271029 into lp:launchpad.