Change HTTP Status 401 to 403 in AuthorizedUser

This signals to the front end that a user must go through another ouath flow.
2017-11-21 18:55:26 -05:00 · 2017-11-21 18:55:26 -05:00 · f2591c9eb1
parent cf82990623
commit f2591c9eb1
2 changed files with 12 additions and 8 deletions
--- a/server/auth.go
+++ b/server/auth.go
@ -81,13 +81,13 @@ func AuthorizedUser(
 		p, err := getValidPrincipal(ctx)
 		if err != nil {
 			log.Error("Failed to retrieve principal from context")
-			Error(w, http.StatusUnauthorized, "User is not authorized", logger)
+			Error(w, http.StatusForbidden, "User is not authorized", logger)
 			return
 		}
 		scheme, err := getScheme(ctx)
 		if err != nil {
 			log.Error("Failed to retrieve scheme from context")
-			Error(w, http.StatusUnauthorized, "User is not authorized", logger)
+			Error(w, http.StatusForbidden, "User is not authorized", logger)
 			return
 		}

@ -96,7 +96,7 @@ func AuthorizedUser(
 			defaultOrg, err := store.Organizations(serverCtx).DefaultOrganization(serverCtx)
 			if err != nil {
 				log.Error(fmt.Sprintf("Failed to retrieve the default organization: %v", err))
-				Error(w, http.StatusUnauthorized, "User is not authorized", logger)
+				Error(w, http.StatusForbidden, "User is not authorized", logger)
 				return
 			}
 			p.Organization = fmt.Sprintf("%d", defaultOrg.ID)
@ -106,13 +106,13 @@ func AuthorizedUser(
 		orgID, err := parseOrganizationID(p.Organization)
 		if err != nil {
 			log.Error("Failed to validate organization on context")
-			Error(w, http.StatusUnauthorized, "User is not authorized", logger)
+			Error(w, http.StatusForbidden, "User is not authorized", logger)
 			return
 		}
 		_, err = store.Organizations(serverCtx).Get(serverCtx, chronograf.OrganizationQuery{ID: &orgID})
 		if err != nil {
 			log.Error(fmt.Sprintf("Failed to retrieve organization %d from organizations store", orgID))
-			Error(w, http.StatusUnauthorized, "User is not authorized", logger)
+			Error(w, http.StatusForbidden, "User is not authorized", logger)
 			return
 		}
 		ctx = context.WithValue(ctx, organizations.ContextKey, p.Organization)
@ -125,7 +125,7 @@ func AuthorizedUser(

 		if err != nil {
 			log.Error("Failed to retrieve user")
-			Error(w, http.StatusUnauthorized, "User is not authorized", logger)
+			Error(w, http.StatusForbidden, "User is not authorized", logger)
 			return
 		}
 		// In particular this is used by sever/users.go so that we know when and when not to
@ -156,7 +156,7 @@ func AuthorizedUser(
 		})
 		if err != nil {
 			log.Error("Failed to retrieve user")
-			Error(w, http.StatusUnauthorized, "User is not authorized", logger)
+			Error(w, http.StatusForbidden, "User is not authorized", logger)
 			return
 		}

@ -176,7 +176,7 @@ func AuthorizedUser(
 			return
 		}

-		Error(w, http.StatusUnauthorized, "User is not authorized", logger)
+		Error(w, http.StatusForbidden, "User is not authorized", logger)
 		return
 	})
 }
--- a/server/auth_test.go
+++ b/server/auth_test.go
@ -1583,6 +1583,10 @@ func TestAuthorizedUser(t *testing.T) {
 				t.Errorf("%q. AuthorizedUser() = %v, expected %v", tt.name, authorized, tt.authorized)
 			}

+			if !authorized && w.Code != http.StatusForbidden {
+				t.Errorf("%q. AuthorizedUser() Status Code = %v, expected %v", tt.name, w.Code, http.StatusForbidden)
+			}
+
 			if hasServerCtx != tt.hasServerContext {
 				t.Errorf("%q. AuthorizedUser().Context().Server = %v, expected %v", tt.name, hasServerCtx, tt.hasServerContext)
 			}