diff options
| -rw-r--r-- | mediagoblin/edit/views.py | 5 | ||||
| -rw-r--r-- | mediagoblin/meddleware/csrf.py | 12 | ||||
| -rw-r--r-- | mediagoblin/plugins/api/tools.py | 7 | ||||
| -rw-r--r-- | mediagoblin/plugins/api/views.py | 9 |
4 files changed, 19 insertions, 14 deletions
diff --git a/mediagoblin/edit/views.py b/mediagoblin/edit/views.py index 6d938f7c..3be1e87b 100644 --- a/mediagoblin/edit/views.py +++ b/mediagoblin/edit/views.py @@ -18,6 +18,7 @@ from webob import exc from cgi import FieldStorage from datetime import datetime +from werkzeug.exceptions import Forbidden from werkzeug.utils import secure_filename from mediagoblin import messages @@ -41,7 +42,7 @@ import mimetypes @require_active_login def edit_media(request, media): if not may_edit_media(request, media): - return exc.HTTPForbidden() + return Forbidden("User may not edit this media") defaults = dict( title=media.title, @@ -165,7 +166,7 @@ def edit_attachments(request, media): {'media': media, 'form': form}) else: - return exc.HTTPForbidden() + return Forbidden("Attachments are disabled") @require_active_login diff --git a/mediagoblin/meddleware/csrf.py b/mediagoblin/meddleware/csrf.py index 1488e6d9..65db9827 100644 --- a/mediagoblin/meddleware/csrf.py +++ b/mediagoblin/meddleware/csrf.py @@ -17,7 +17,7 @@ import random import logging -from webob.exc import HTTPForbidden +from werkzeug.exceptions import Forbidden from wtforms import Form, HiddenField, validators from mediagoblin import mg_globals @@ -128,8 +128,9 @@ class CsrfMeddleware(BaseMeddleware): if cookie_token is None: # the CSRF cookie must be present in the request - _log.error('CSRF cookie not present') - return HTTPForbidden() + errstr = 'CSRF cookie not present' + _log.error(errstr) + return Forbidden(errstr) # get the form token and confirm it matches form = CsrfForm(request.form) @@ -142,5 +143,6 @@ class CsrfMeddleware(BaseMeddleware): # either the tokens didn't match or the form token wasn't # present; either way, the request is denied - _log.error('CSRF validation failed') - return HTTPForbidden() + errstr = 'CSRF validation failed' + _log.error(errstr) + return Forbidden(errstr) diff --git a/mediagoblin/plugins/api/tools.py b/mediagoblin/plugins/api/tools.py index ecc50364..c4073d23 100644 --- a/mediagoblin/plugins/api/tools.py +++ b/mediagoblin/plugins/api/tools.py @@ -18,8 +18,9 @@ import logging import json from functools import wraps -from webob import exc, Response +from webob import Response from urlparse import urljoin +from werkzeug.exceptions import Forbidden from mediagoblin import mg_globals from mediagoblin.tools.pluginapi import PluginManager @@ -143,7 +144,7 @@ def api_auth(controller): # If we can't find any authentication methods, we should not let them # pass. if not auth_candidates: - return exc.HTTPForbidden() + return Forbidden() # For now, just select the first one in the list auth = auth_candidates[0] @@ -157,7 +158,7 @@ def api_auth(controller): 'status': 403, 'errors': auth.errors}) - return exc.HTTPForbidden() + return Forbidden() return controller(request, *args, **kw) diff --git a/mediagoblin/plugins/api/views.py b/mediagoblin/plugins/api/views.py index 7f93108e..39f864c4 100644 --- a/mediagoblin/plugins/api/views.py +++ b/mediagoblin/plugins/api/views.py @@ -19,7 +19,8 @@ import logging import uuid from os.path import splitext -from webob import exc, Response +from webob import Response +from werkzeug.exceptions import BadRequest, Forbidden from werkzeug.utils import secure_filename from werkzeug.datastructures import FileStorage from celery import registry @@ -47,13 +48,13 @@ def post_entry(request): if request.method != 'POST': _log.debug('Must POST against post_entry') - return exc.HTTPBadRequest() + return BadRequest() if not 'file' in request.files \ or not isinstance(request.files['file'], FileStorage) \ or not request.files['file'].stream: _log.debug('File field not found') - return exc.HTTPBadRequest() + return BadRequest() media_file = request.files['file'] @@ -129,7 +130,7 @@ def post_entry(request): @api_auth def api_test(request): if not request.user: - return exc.HTTPForbidden() + return Forbidden() user_data = { 'username': request.user.username, |