Raise HTTPErrors instead of sending errors directly to the client.

pull/7/head
Ferry Boender 10 years ago
parent 6d7cdf744c
commit 0c1d213458
  1. 20
      src/webapp.py

@ -371,9 +371,7 @@ class ScriptFormWebApp(WebAppHandler):
form_def = form_config.get_form_def(form_name)
if form_def.allowed_users is not None and \
self.username not in form_def.allowed_users:
# FIXME: Raise HTTPError instead?
self.send_error(401, "You're not authorized to view this form")
return
raise HTTPError(403, "You're not authorized to view this form")
html_errors = u''
if errors:
@ -412,9 +410,7 @@ class ScriptFormWebApp(WebAppHandler):
form_def = form_config.get_form_def(form_name)
if form_def.allowed_users is not None and \
self.username not in form_def.allowed_users:
# FIXME: Raise HTTPError instead?
self.send_error(401, "You're not authorized to view this form")
return
raise HTTPError(403, "You're not authorized to view this form")
# Convert FieldStorage to a simple dict, because we're not allowd to
# add items to it. For normal fields, the form field name becomes the
@ -506,20 +502,14 @@ class ScriptFormWebApp(WebAppHandler):
form_config = self.scriptform.get_form_config()
if not form_config.static_dir:
# FIXME: Raise Error
self.send_error(501, "Static file serving not enabled")
return
raise HTTPError(501, "Static file serving not enabled")
if '..' in fname:
# FIXME: Raise Error
self.send_error(403, "Invalid file name")
return
raise HTTPError(403, "Invalid file name")
path = os.path.join(form_config.static_dir, fname)
if not os.path.exists(path):
# FIXME: Raise Error
self.send_error(404, "Not found")
return
raise HTTPError(404, "Not found")
f = file(path, 'r')
self.send_response(200)

Loading…
Cancel
Save