Change non logged in 403s to 401s.

auth/scopes.py

@@ -30,7 +30,7 @@ CREATE_REPO = {
                   'the granting user or robot account is allowed to create repositories')
 }
 
-USER_READ = {
+READ_USER = {
   'scope': 'user:read',
   'icon': 'fa-user',
   'title': 'Read User Information',
@@ -39,7 +39,7 @@ USER_READ = {
 }
 
 ALL_SCOPES = {scope['scope']:scope for scope in (READ_REPO, WRITE_REPO, ADMIN_REPO, CREATE_REPO,
-                                                 USER_READ)}
+                                                 READ_USER)}
 
 
 def scopes_from_scope_string(scopes):

endpoints/api/__init__.py

@@ -57,7 +57,12 @@ class InvalidToken(ApiException):
 
 class Unauthorized(ApiException):
   def __init__(self, payload=None):
-    ApiException.__init__(self, 'insufficient_scope', 403, 'Unauthorized', payload)
+    user = get_authenticated_user()
+    if user is None or user.organization:
+      ApiException.__init__(self, 'invalid_token', 401, "Requires authentication", payload)
+    else:
+      ApiException.__init__(self, 'insufficient_scope', 403, 'Unauthorized', payload)
+
 
 
 class NotFound(ApiException):
@@ -190,8 +195,7 @@ def require_user_permission(permission_class, scope=None):
     def wrapped(self, *args, **kwargs):
       user = get_authenticated_user()
       if not user:
-        logger.debug('User is anonymous.')
+        raise Unauthorized()
-        raise InvalidToken('Method requires an auth token or user login.')
 
       logger.debug('Checking permission %s for user', permission_class, user.username)
       permission = permission_class(user.username)
@@ -202,7 +206,7 @@ def require_user_permission(permission_class, scope=None):
   return wrapper
 
 
-require_user_read = require_user_permission(UserReadPermission, scopes.USER_READ)
+require_user_read = require_user_permission(UserReadPermission, scopes.READ_USER)
 require_user_admin = require_user_permission(UserAdminPermission, None)
 
 

endpoints/api/user.py

@@ -8,13 +8,14 @@ from flask.ext.principal import identity_changed, AnonymousIdentity
 from app import app
 from endpoints.api import (ApiResource, nickname, resource, validate_json_request, request_error,
                            log_action, internal_only, NotFound, Unauthorized, require_user_admin,
-                           require_user_read, InvalidToken)
+                           require_user_read, InvalidToken, require_scope)
 from endpoints.api.subscribe import subscribe
 from endpoints.common import common_login
 from data import model
 from data.plans import get_plan
 from auth.permissions import AdministerOrganizationPermission, CreateRepositoryPermission
 from auth.auth_context import get_authenticated_user
+from auth import scopes
 from util.gravatar import compute_hash
 from util.email import (send_confirmation_email, send_recovery_email,
                         send_change_email)
@@ -108,13 +109,13 @@ class User(ApiResource):
     },
   }
 
-  @require_user_read
+  @require_scope(scopes.READ_USER)
   @nickname('getLoggedInUser')
   def get(self):
     """ Get user information for the authenticated user. """
     user = get_authenticated_user()
-    if user.organization:
+    if user is None or user.organization:
-      raise InvalidToken('User must not be an organization.')
+      raise InvalidToken("Requires authentication", payload={'session_required': False})
 
     return user_view(user)
 

test/test_api_usage.py

@@ -828,7 +828,7 @@ class TestGetRepository(ApiTestCase):
   def test_getrepo_org_asnonmember(self):
     self.getResponse(Repository,
                      params=dict(repository=ORGANIZATION + '/' + ORG_REPO),
-                     expected_code=403)
+                     expected_code=401)
 
   def test_getrepo_org_asreader(self):
     self.login(READ_ACCESS_USER)