Add additional 403 error info

ed098407 · Megan Henning · 0185d4b9 · ed098407 · ed098407 · ed098407
Commit ed098407 authored 7 years ago by Megan Henning
--- a/api/auth/containerauth.py
+++ b/api/auth/containerauth.py
@@ -14,7 +14,7 @@ def default_container(handler, container=None, target_parent_container=None):
    def g(exec_op):
        def f(method, _id=None, payload=None, unset_payload=None, recursive=False, r_payload=None, replace_metadata=False):
            projection = None
-            additional_error_msg = None
+            errors = None
            if method == 'GET' and container.get('public', False):
                has_access = True
            elif method == 'GET':
@@ -31,7 +31,16 @@ def default_container(handler, container=None, target_parent_container=None):
                    required_perm = 'admin'
                else:
                    required_perm = 'rw'
-                has_access = _get_access(handler.uid, container) >= INTEGER_PERMISSIONS[required_perm]
+                user_perms = _get_access(handler.uid, container)
+                has_access = user_perms >= INTEGER_PERMISSIONS[required_perm]
+                if not has_access and has_original_data and user_perms == INTEGER_PERMISSIONS['rw']:
+                    # The user was not granted access because the container had original data
+                    errors = {'reason': 'original_data_present'}
+                else:
+                    errors = {'reason': 'permission_denied'}
            elif method == 'PUT' and target_parent_container is not None:
                has_access = (
                    _get_access(handler.uid, container) >= INTEGER_PERMISSIONS['admin'] and
@@ -47,9 +56,7 @@ def default_container(handler, container=None, target_parent_container=None):
                return exec_op(method, _id=_id, payload=payload, unset_payload=unset_payload, recursive=recursive, r_payload=r_payload, replace_metadata=replace_metadata, projection=projection)
            else:
                error_msg = 'user not authorized to perform a {} operation on the container.'.format(method)
-                if additional_error_msg:
+                raise APIPermissionException(error_msg, errors=errors)
-                    error_msg += ' '+additional_error_msg
-                handler.abort(403, error_msg)
        return f
    return g

--- a/api/handlers/containerhandler.py
+++ b/api/handlers/containerhandler.py
@@ -544,9 +544,11 @@ class ContainerHandler(base.RequestHandler):
        target_parent_container, _ = self._get_parent_container(container)
        permchecker = self._get_permchecker(container, target_parent_container)
+        permchecker(noop)('DELETE', _id)
        try:
            # This line exec the actual delete checking permissions using the decorator permchecker
-            result = permchecker(self.storage.exec_op)('DELETE', _id)
+            result = self.storage.exec_op('DELETE', _id)
        except APIStorageException as e:
            self.abort(400, e.message)
        if result.modified_count == 1:

--- a/api/web/errors.py
+++ b/api/web/errors.py
@@ -15,7 +15,10 @@ class APINotFoundException(Exception):
    pass
 class APIPermissionException(Exception):
-    pass
+    def __init__(self, msg, errors=None):
+        super(APIPermissionException, self).__init__(msg)
+        self.errors = errors
 class APIRefreshTokenException(Exception):
    # Specifically alert a client when the user's refresh token expires