Throw 401 for security denial for unauthenticated

Bowe Strickland

2018-10-27 323fa95deea50f49c119728fc2eeacb9e0c51241

Throw 401 for security denial for unauthenticated

The security framework currently throws HTTPForbidden for security failures, regardless of user context. 

To better align with security frameworks, such as repoze.who, and internet convention, pyramid should throw 401 for unauthenticated users, to give them the opportunity to log in and try again....

 src/pyramid/viewderivers.py

@@ -2,7 +2,7 @@

from zope.interface import implementer, provider

from pyramid.security import NO_PERMISSION_REQUIRED
from pyramid.security import NO_PERMISSION_REQUIRED, Authenticated
from pyramid.csrf import check_csrf_origin, check_csrf_token
from pyramid.response import Response

@@ -20,7 +20,7 @@
from pyramid.compat import is_bound_method, is_unbound_method

from pyramid.exceptions import ConfigurationError
from pyramid.httpexceptions import HTTPForbidden
from pyramid.httpexceptions import HTTPForbidden, HTTPUnauthorized
from pyramid.util import object_description, takes_one_arg
from pyramid.view import render_view_to_response
from pyramid import renderers
@@ -329,7 +329,9 @@
                'authdebug_message',
                'Unauthorized: %s failed permission check' % view_name,
            )
            raise HTTPForbidden(msg, result=result)
            if Authenticated in result.principals:
                raise HTTPForbidden(msg, result=result)
            raise HTTPUnauthorized(msg)

        wrapped_view = secured_view
        wrapped_view.__call_permissive__ = view