daniel
/
distribution
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #163 from stevvooe/bug-return-non-authorized 

Correctly return when repo name is not available
master
Olivier Gambier 2015-02-10 16:11:17 -08:00
parent 9bde7d9835 287e11e1d4
commit 4364cec50f
1 changed files with 10 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
docs/app.go
View File

@ -222,6 +222,7 @@ func (app *App) dispatcher(dispatch dispatchFunc) http.Handler {
}() }()
if err := app.authorized(w, r, context); err != nil { if err := app.authorized(w, r, context); err != nil {
ctxu.GetLogger(context).Errorf("error authorizing context: %v", err)
return return
} }
@ -270,8 +271,8 @@ func (app *App) context(w http.ResponseWriter, r *http.Request) *Context {
} }
// authorized checks if the request can proceed with access to the requested // authorized checks if the request can proceed with access to the requested
// repository. If it succeeds, the repository will be available on the // repository. If it succeeds, the context may access the requested
// context. An error will be if access is not available. // repository. An error will be returned if access is not available.
func (app *App) authorized(w http.ResponseWriter, r *http.Request, context *Context) error { func (app *App) authorized(w http.ResponseWriter, r *http.Request, context *Context) error {
ctxu.GetLogger(context).Debug("authorizing request") ctxu.GetLogger(context).Debug("authorizing request")
repo := getName(context) repo := getName(context)
@ -319,17 +320,19 @@ func (app *App) authorized(w http.ResponseWriter, r *http.Request, context *Cont
route := mux.CurrentRoute(r) route := mux.CurrentRoute(r)
if route == nil || route.GetName() != v2.RouteNameBase { if route == nil || route.GetName() != v2.RouteNameBase {
// For this to be properly secured, context.Name must always be set // For this to be properly secured, repo must always be set for a
// for a resource that may make a modification. The only condition // resource that may make a modification. The only condition under
// under which name is not set and we still allow access is when the // which name is not set and we still allow access is when the
// base route is accessed. This section prevents us from making that // base route is accessed. This section prevents us from making
// mistake elsewhere in the code, allowing any operation to proceed. // that mistake elsewhere in the code, allowing any operation to
// proceed.
w.Header().Set("Content-Type", "application/json; charset=utf-8") w.Header().Set("Content-Type", "application/json; charset=utf-8")
w.WriteHeader(http.StatusForbidden) w.WriteHeader(http.StatusForbidden)
var errs v2.Errors var errs v2.Errors
errs.Push(v2.ErrorCodeUnauthorized) errs.Push(v2.ErrorCodeUnauthorized)
serveJSON(w, errs) serveJSON(w, errs)
return fmt.Errorf("forbidden: no repository name")
} }
} }