diff options
author | Jacek Tomasiak <jacek.tomasiak@gmail.com> | 2020-03-12 21:50:49 +0100 |
---|---|---|
committer | Jacek Tomasiak <jacek.tomasiak@gmail.com> | 2020-04-01 10:14:37 +0000 |
commit | cf6bc991e5133abdece81a57712b3037822eea3e (patch) | |
tree | 6dbaf6af6d082c8ecb467ed909459b0d90bea1d3 | |
parent | e058e381607e93439a59f47c36e6a9b7cf61cc71 (diff) | |
download | horizon-cf6bc991e5133abdece81a57712b3037822eea3e.tar.gz |
Authenticate before Authorization
When user is not logged in and given Dashboard has some `permissions`
defined, `require_perms` decorator was raising `NotAuthorized('You are
not authorized to access %s')` instead of `NotAuthenticated('Please log
in to continue.')`.
This was caused by the order of decorating the views. The decorator
which is applied last is called first in the chain as it wraps the
decorators which were applied before.
This means that to check for authentication before checking permissions
we need to apply the `require_auth` decorator after `require_perms`.
Closes-Bug: 1869708
Change-Id: I94d3fa5c1472bb72c9111cab14c6e05180f88589
(cherry picked from commit e4fd69292c4a8340eba33f5c9d516796472e9269)
-rw-r--r-- | horizon/base.py | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/horizon/base.py b/horizon/base.py index 50efee407..2cdace254 100644 --- a/horizon/base.py +++ b/horizon/base.py @@ -573,13 +573,13 @@ class Dashboard(Registry, HorizonComponent): urlpatterns.append( url(r'', _wrapped_include(default_panel._decorated_urls))) - # Require login if not public. - if not self.public: - _decorate_urlconf(urlpatterns, require_auth) # Apply access controls to all views in the patterns permissions = getattr(self, 'permissions', []) _decorate_urlconf(urlpatterns, require_perms, permissions) _decorate_urlconf(urlpatterns, _current_component, dashboard=self) + # Require login if not public. + if not self.public: + _decorate_urlconf(urlpatterns, require_auth) # Return the three arguments to django.conf.urls.include return urlpatterns, self.slug, self.slug |