Isolate server browse page doesn't redirect to a login screen if the user is not authenticated

madecoste / swarming

Automatically exported from code.google.com/p/swarming

Apache License 2.0

0 stars 1 forks source link

Isolate server browse page doesn't redirect to a login screen if the user is not authenticated #161

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago

Repro:
1. Navigate directly to an isolate server /browse page from a new incognito tab 
(e.g. 
https://isolateserver.appspot.com/browse?namespace=default-gzip&hash=296b7370411
7dec7ddaab45b775bb8cff889c280)

Expected:
To be presented with an authentication screen

Actual:
403

Original issue reported on code.google.com by kmg@chromium.org on 3 Oct 2014 at 12:48

GoogleCodeExporter commented 9 years ago

It looks like @auth.require(acl.isolate_readable) doesn't even try to login the 
user when unauthenticated, it should return 401 in this case instead of 403.

Original comment by maruel@chromium.org on 2 Dec 2014 at 8:19

Added labels: Module-IsolateServ, Usability

GoogleCodeExporter commented 9 years ago

@auth.require just raises AuthorizationError since it doesn't know why exactly 
access is forbidden (because you are anonymous, or because you do not have 
permissions). Base request handler class dumbly transforms them to 403 since it 
has no knowledge of any particular login UI. 

For UI handlers in isolate server we can define something like:

def on_authorization_error():
  if is_anonymous:
    redirect to login page that redirects back to the original page
  else
    show 403

Original comment by vadimsh@chromium.org on 2 Dec 2014 at 9:23