4 files changed, 25 insertions, 26 deletions

diff --git a/mediagoblin/plugins/api/tools.py b/mediagoblin/plugins/api/tools.py
index ecc50364..e5878258 100644
--- a/mediagoblin/plugins/api/tools.py
+++ b/mediagoblin/plugins/api/tools.py
@@ -18,9 +18,9 @@ import logging
 import json
 
 from functools import wraps
-from webob import exc, Response
 from urlparse import urljoin
-
+from werkzeug.exceptions import Forbidden
+from werkzeug.wrappers import Response
 from mediagoblin import mg_globals
 from mediagoblin.tools.pluginapi import PluginManager
 from mediagoblin.storage.filestorage import BasicFileStorage
@@ -54,23 +54,22 @@ class Auth(object):
 
 def json_response(serializable, _disable_cors=False, *args, **kw):
     '''
-    Serializes a json objects and returns a webob.Response object with the
+    Serializes a json objects and returns a werkzeug Response object with the
     serialized value as the response body and Content-Type: application/json.
 
     :param serializable: A json-serializable object
 
     Any extra arguments and keyword arguments are passed to the
-    webob.Response.__init__ method.
+    Response.__init__ method.
     '''
-    response = Response(json.dumps(serializable), *args, **kw)
-    response.headers['Content-Type'] = 'application/json'
+    response = Response(json.dumps(serializable), *args, content_type='application/json', **kw)
 
     if not _disable_cors:
         cors_headers = {
                 'Access-Control-Allow-Origin': '*',
                 'Access-Control-Allow-Methods': 'POST, GET, OPTIONS',
                 'Access-Control-Allow-Headers': 'Content-Type, X-Requested-With'}
-        response.headers.update(cors_headers)
+        (response.headers.set(key, value) for key, value in cors_headers)
 
     return response
 
@@ -136,14 +135,14 @@ def api_auth(controller):
         auth_candidates = []
 
         for auth in PluginManager().get_hook_callables('auth'):
-            _log.debug('Plugin auth: {0}'.format(auth))
             if auth.trigger(request):
+                _log.debug('{0} believes it is capable of authenticating this request.'.format(auth))
                 auth_candidates.append(auth)
 
         # If we can't find any authentication methods, we should not let them
         # pass.
         if not auth_candidates:
-            return exc.HTTPForbidden()
+            raise Forbidden()
 
         # For now, just select the first one in the list
         auth = auth_candidates[0]
@@ -157,7 +156,7 @@ def api_auth(controller):
                         'status': 403,
                         'errors': auth.errors})
 
-            return exc.HTTPForbidden()
+            raise Forbidden()
 
         return controller(request, *args, **kw)
 
diff --git a/mediagoblin/plugins/api/views.py b/mediagoblin/plugins/api/views.py
index a1b1bcac..d3cef432 100644
--- a/mediagoblin/plugins/api/views.py
+++ b/mediagoblin/plugins/api/views.py
@@ -19,12 +19,12 @@ import logging
 import uuid
 
 from os.path import splitext
-from webob import exc, Response
-from werkzeug.utils import secure_filename
 from werkzeug.datastructures import FileStorage
+from werkzeug.exceptions import BadRequest, Forbidden
+from werkzeug.utils import secure_filename
+from werkzeug.wrappers import Response
 from celery import registry
 
-from mediagoblin.db.util import ObjectId
 from mediagoblin.decorators import require_active_login
 from mediagoblin.processing import mark_entry_failed
 from mediagoblin.processing.task import ProcessMedia
@@ -47,20 +47,19 @@ def post_entry(request):
 
     if request.method != 'POST':
         _log.debug('Must POST against post_entry')
-        return exc.HTTPBadRequest()
+        raise BadRequest()
 
     if not 'file' in request.files \
             or not isinstance(request.files['file'], FileStorage) \
             or not request.files['file'].stream:
         _log.debug('File field not found')
-        return exc.HTTPBadRequest()
+        raise BadRequest()
 
     media_file = request.files['file']
 
     media_type, media_manager = sniff_media(media_file)
 
     entry = request.db.MediaEntry()
-    entry.id = ObjectId()
     entry.media_type = unicode(media_type)
     entry.title = unicode(request.form.get('title')
             or splitext(media_file.filename)[0])
@@ -93,7 +92,7 @@ def post_entry(request):
     entry.queued_task_id = task_id
 
     # Save now so we have this data before kicking off processing
-    entry.save(validate=True)
+    entry.save()
 
     if request.form.get('callback_url'):
         metadata = request.db.ProcessingMetaData()
@@ -108,7 +107,7 @@ def post_entry(request):
     process_media = registry.tasks[ProcessMedia.name]
     try:
         process_media.apply_async(
-            [unicode(entry._id)], {},
+            [unicode(entry.id)], {},
             task_id=task_id)
     except BaseException as e:
         # The purpose of this section is because when running in "lazy"
@@ -119,7 +118,7 @@ def post_entry(request):
         #
         # ... not completely the diaper pattern because the
         # exception is re-raised :)
-        mark_entry_failed(entry._id, e)
+        mark_entry_failed(entry.id, e)
         # re-raise the exception
         raise
 
@@ -129,12 +128,14 @@ def post_entry(request):
 @api_auth
 def api_test(request):
     if not request.user:
-        return exc.HTTPForbidden()
+        raise Forbidden()
 
     user_data = {
             'username': request.user.username,
             'email': request.user.email}
 
+    # TODO: This is the *only* thing using Response() here, should that
+    # not simply use json_response()?
     return Response(json.dumps(user_data))
 
 
diff --git a/mediagoblin/plugins/httpapiauth/__init__.py b/mediagoblin/plugins/httpapiauth/__init__.py
index d3d2065e..081b590e 100644
--- a/mediagoblin/plugins/httpapiauth/__init__.py
+++ b/mediagoblin/plugins/httpapiauth/__init__.py
@@ -41,7 +41,7 @@ class HTTPAuth(Auth):
             return False
 
         user = request.db.User.query.filter_by(
-                username=request.authorization['username']).first()
+                username=unicode(request.authorization['username'])).first()
 
         if user.check_login(request.authorization['password']):
             request.user = user
diff --git a/mediagoblin/plugins/oauth/views.py b/mediagoblin/plugins/oauth/views.py
index 643c2783..c7b2a332 100644
--- a/mediagoblin/plugins/oauth/views.py
+++ b/mediagoblin/plugins/oauth/views.py
@@ -18,7 +18,6 @@
 import logging
 import json
 
-from webob import exc, Response
 from urllib import urlencode
 from uuid import uuid4
 from datetime import datetime
@@ -95,7 +94,7 @@ def authorize_client(request):
     if not client:
         _log.error('''No such client id as received from client authorization
                 form.''')
-        return exc.HTTPBadRequest()
+        return BadRequest()
 
     if form.validate():
         relation = OAuthUserClient()
@@ -106,11 +105,11 @@ def authorize_client(request):
         elif form.deny.data:
             relation.state = u'rejected'
         else:
-            return exc.HTTPBadRequest
+            return BadRequest
 
         relation.save()
 
-        return exc.HTTPFound(location=form.next.data)
+        return redirect(request, location=form.next.data)
 
     return render_to_response(
         request,
@@ -163,7 +162,7 @@ def authorize(request, client):
 
         _log.debug('Redirecting to {0}'.format(redirect_uri))
 
-        return exc.HTTPFound(location=redirect_uri)
+        return redirect(request, location=redirect_uri)
     else:
         # Show prompt to allow client to access data
         # - on accept: send the user agent back to the redirect_uri with the