cartodb/CartoDB-SQL-API
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Respond with 403 intead of 401 when the request has no permissions to the specific resource

Browse Source
This commit is contained in:
Daniel García Aubert 2018-02-23 15:50:23 +01:00
parent f85bdf53a5
commit cf0214f5c3
5 changed files with 20 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
app/postgresql/error_handler.js
View File

@ -34,7 +34,7 @@ ErrorHandler.prototype.getStatus = function() {
var message = this.getMessage();
if (message && message.match(/permission denied/)) {
statusError = 401;
statusError = 403;
}
if (message === conditionToMessage[pgErrorCodes.conditionToCode.query_canceled]) {
@ -46,7 +46,7 @@ ErrorHandler.prototype.getStatus = function() {
ErrorHandler.prototype.isTimeoutError = function() {
return this.err.message && (
this.err.message.indexOf('statement timeout') > -1 ||
this.err.message.indexOf('statement timeout') > -1 ||
this.err.message.indexOf('RuntimeError: Execution of function interrupted by signal') > -1
);
};

8
test/acceptance/app.auth.test.js
View File

@ -19,22 +19,22 @@ describe('app.auth', function() {
{
desc: 'invalid api key should NOT allow insert in protected tables',
url: "/api/v1/sql?api_key=RAMBO&q=INSERT%20INTO%20private_table%20(name)%20VALUES%20('RAMBO')",
statusCode: 401
statusCode: 403
},
{
desc: 'invalid api key (old redis location) should NOT allow insert in protected tables',
url: "/api/v1/sql?api_key=1235&q=INSERT%20INTO%20private_table%20(name)%20VALUES%20('RAMBO')",
statusCode: 401
statusCode: 403
},
{
desc: 'no api key should NOT allow insert in protected tables',
url: "/api/v1/sql?q=INSERT%20INTO%20private_table%20(name)%20VALUES%20('RAMBO')",
statusCode: 401
statusCode: 403
},
{
desc: 'no api key should NOT allow insert in public tables',
url: "/api/v1/sql?q=INSERT%20INTO%20untitle_table_4%20(name)%20VALUES%20('RAMBO')",
statusCode: 401
statusCode: 403
}
];

2
test/acceptance/app.test.js
View File

@ -100,7 +100,7 @@ it('GET /api/v1/sql with INSERT. oAuth not used, so public user - should fail',
method: 'GET'
},{
}, function(err, res) {
assert.equal(res.statusCode, 401, res.statusCode + ': ' + res.body);
assert.equal(res.statusCode, 403, res.statusCode + ': ' + res.body);
assert.deepEqual(res.headers['content-type'], 'application/json; charset=utf-8');
assert.deepEqual(res.headers['content-disposition'], 'inline');
assert.deepEqual(JSON.parse(res.body),

14
test/acceptance/auth-api.js
View File

@ -39,7 +39,7 @@ describe('Auth API', function () {
this.testClient = new TestClient({ apiKey: 'wrong' });
const expectedResponse = {
response: {
status: 401
status: 403
}
};
@ -54,7 +54,7 @@ describe('Auth API', function () {
this.testClient = new TestClient();
const expectedResponse = {
response: {
status: 401
status: 403
},
anonymous: true
};
@ -97,7 +97,7 @@ describe('Auth API', function () {
this.testClient = new TestClient({ apiKey: 'regular2' });
const expectedResponse = {
response: {
status: 401
status: 403
}
};
@ -123,7 +123,7 @@ describe('Auth API', function () {
const expectedResponse = {
response: {
status: 401
status: 403
},
anonymous: true
};
@ -198,7 +198,7 @@ describe('Auth API', function () {
this.testClient = new TestClient({ authorization: 'vizzuality:regular2' });
const expectedResponse = {
response: {
status: 401
status: 403
},
anonymous: true
};
@ -231,7 +231,7 @@ describe('Auth API', function () {
this.testClient = new TestClient({ authorization: 'wadus:regular2' });
const expectedResponse = {
response: {
status: 401
status: 403
},
anonymous: true
};
@ -263,7 +263,7 @@ describe('Auth API', function () {
this.testClient = new TestClient({ authorization: 'vizzuality:wrong' });
const expectedResponse = {
response: {
status: 401
status: 403
},
anonymous: true
};

12
test/acceptance/batch/job.test.js
View File

@ -79,7 +79,7 @@ describe('job module', function() {
});
});
it('POST /api/v2/sql/job with wrong api key should respond with 401 permission denied', function (done){
it('POST /api/v2/sql/job with wrong api key should respond with 403 permission denied', function (done){
assert.response(server, {
url: '/api/v2/sql/job?api_key=wrong',
headers: { 'host': 'vizzuality.cartodb.com', 'Content-Type': 'application/x-www-form-urlencoded' },
@ -88,7 +88,7 @@ describe('job module', function() {
query: "SELECT * FROM untitle_table_4"
})
}, {
status: 401
status: 403
}, function(err, res) {
var error = JSON.parse(res.body);
assert.deepEqual(error, { error: [ 'permission denied' ] });
@ -134,13 +134,13 @@ describe('job module', function() {
});
});
it('GET /api/v2/sql/job/:job_id with wrong api key should respond with 401 permission denied', function (done){
it('GET /api/v2/sql/job/:job_id with wrong api key should respond with 403 permission denied', function (done){
assert.response(server, {
url: '/api/v2/sql/job/' + job.job_id + '?api_key=wrong',
headers: { 'host': 'vizzuality.cartodb.com', 'Content-Type': 'application/x-www-form-urlencoded' },
method: 'GET'
}, {
status: 401
status: 403
}, function(err, res) {
var error = JSON.parse(res.body);
assert.deepEqual(error, { error: [ 'permission denied' ] });
@ -182,13 +182,13 @@ describe('job module', function() {
});
});
it('DELETE /api/v2/sql/job/:job_id with wrong api key should respond with 401 permission denied', function (done){
it('DELETE /api/v2/sql/job/:job_id with wrong api key should respond with 403 permission denied', function (done){
assert.response(server, {
url: '/api/v2/sql/job/' + job.job_id + '?api_key=wrong',
headers: { 'host': 'vizzuality.cartodb.com', 'Content-Type': 'application/x-www-form-urlencoded' },
method: 'DELETE'
}, {
status: 401
status: 403
}, function(err, res) {
var error = JSON.parse(res.body);
assert.deepEqual(error, { error: [ 'permission denied' ] });