From 228f08226b1ddbe1266f8cf6e35b935dcf334fb4 Mon Sep 17 00:00:00 2001 From: Evan Rusackas Date: Wed, 15 Dec 2021 17:11:04 -0700 Subject: [PATCH] fix: change 401 response to a 403 for Security Exceptions (#17768) * fix: change 401 to 403 for Security Exceptions * updating tests to reflect new (proper) status code * another test update --- superset/exceptions.py | 2 +- tests/integration_tests/charts/data/api_tests.py | 4 ++-- .../dashboards/security/security_rbac_tests.py | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/superset/exceptions.py b/superset/exceptions.py index 2a902608a6a97..6ed3a0e8661e3 100644 --- a/superset/exceptions.py +++ b/superset/exceptions.py @@ -149,7 +149,7 @@ def __init__( class SupersetSecurityException(SupersetErrorException): - status = 401 + status = 403 def __init__( self, error: SupersetError, payload: Optional[Dict[str, Any]] = None diff --git a/tests/integration_tests/charts/data/api_tests.py b/tests/integration_tests/charts/data/api_tests.py index cf6d0b537f145..2831c291c7097 100644 --- a/tests/integration_tests/charts/data/api_tests.py +++ b/tests/integration_tests/charts/data/api_tests.py @@ -464,7 +464,7 @@ def test_with_invalid_time_range_endpoints_enum_value__400(self): assert rv.status_code == 400 - def test_with_not_permitted_actor__401(self): + def test_with_not_permitted_actor__403(self): """ Chart data API: Test chart data query not allowed """ @@ -472,7 +472,7 @@ def test_with_not_permitted_actor__401(self): self.login(username="gamma") rv = self.post_assert_metric(CHART_DATA_URI, self.query_context_payload, "data") - assert rv.status_code == 401 + assert rv.status_code == 403 assert ( rv.json["errors"][0]["error_type"] == SupersetErrorType.DATASOURCE_SECURITY_ACCESS_ERROR diff --git a/tests/integration_tests/dashboards/security/security_rbac_tests.py b/tests/integration_tests/dashboards/security/security_rbac_tests.py index c1be5a911ae32..bb97a35129fe8 100644 --- a/tests/integration_tests/dashboards/security/security_rbac_tests.py +++ b/tests/integration_tests/dashboards/security/security_rbac_tests.py @@ -91,7 +91,7 @@ def test_get_dashboard_view__user_can_not_access_without_permission(self): request_payload = get_query_context("birth_names") rv = self.post_assert_metric(CHART_DATA_URI, request_payload, "data") - self.assertEqual(rv.status_code, 401) + self.assertEqual(rv.status_code, 403) # assert self.assert403(response)