Raise HTTPErrors instead of sending errors directly to the client.

pull/7/head
Ferry Boender 10 years ago
parent 6d7cdf744c
commit 0c1d213458
  1. 20
      src/webapp.py

@ -371,9 +371,7 @@ class ScriptFormWebApp(WebAppHandler):
form_def = form_config.get_form_def(form_name) form_def = form_config.get_form_def(form_name)
if form_def.allowed_users is not None and \ if form_def.allowed_users is not None and \
self.username not in form_def.allowed_users: self.username not in form_def.allowed_users:
# FIXME: Raise HTTPError instead? raise HTTPError(403, "You're not authorized to view this form")
self.send_error(401, "You're not authorized to view this form")
return
html_errors = u'' html_errors = u''
if errors: if errors:
@ -412,9 +410,7 @@ class ScriptFormWebApp(WebAppHandler):
form_def = form_config.get_form_def(form_name) form_def = form_config.get_form_def(form_name)
if form_def.allowed_users is not None and \ if form_def.allowed_users is not None and \
self.username not in form_def.allowed_users: self.username not in form_def.allowed_users:
# FIXME: Raise HTTPError instead? raise HTTPError(403, "You're not authorized to view this form")
self.send_error(401, "You're not authorized to view this form")
return
# Convert FieldStorage to a simple dict, because we're not allowd to # Convert FieldStorage to a simple dict, because we're not allowd to
# add items to it. For normal fields, the form field name becomes the # add items to it. For normal fields, the form field name becomes the
@ -506,20 +502,14 @@ class ScriptFormWebApp(WebAppHandler):
form_config = self.scriptform.get_form_config() form_config = self.scriptform.get_form_config()
if not form_config.static_dir: if not form_config.static_dir:
# FIXME: Raise Error raise HTTPError(501, "Static file serving not enabled")
self.send_error(501, "Static file serving not enabled")
return
if '..' in fname: if '..' in fname:
# FIXME: Raise Error raise HTTPError(403, "Invalid file name")
self.send_error(403, "Invalid file name")
return
path = os.path.join(form_config.static_dir, fname) path = os.path.join(form_config.static_dir, fname)
if not os.path.exists(path): if not os.path.exists(path):
# FIXME: Raise Error raise HTTPError(404, "Not found")
self.send_error(404, "Not found")
return
f = file(path, 'r') f = file(path, 'r')
self.send_response(200) self.send_response(200)

Loading…
Cancel
Save