From 323fa95deea50f49c119728fc2eeacb9e0c51241 Mon Sep 17 00:00:00 2001
From: Bowe Strickland <bowe@redhat.com>
Date: Sat, 27 Oct 2018 13:48:20 +0200
Subject: [PATCH] Throw 401 for security denial for unauthenticated

---
 src/pyramid/viewderivers.py |    8 +++++---
 1 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/pyramid/viewderivers.py b/src/pyramid/viewderivers.py
index fbe0c25..cad9da4 100644
--- a/src/pyramid/viewderivers.py
+++ b/src/pyramid/viewderivers.py
@@ -2,7 +2,7 @@
 
 from zope.interface import implementer, provider
 
-from pyramid.security import NO_PERMISSION_REQUIRED
+from pyramid.security import NO_PERMISSION_REQUIRED, Authenticated
 from pyramid.csrf import check_csrf_origin, check_csrf_token
 from pyramid.response import Response
 
@@ -20,7 +20,7 @@
 from pyramid.compat import is_bound_method, is_unbound_method
 
 from pyramid.exceptions import ConfigurationError
-from pyramid.httpexceptions import HTTPForbidden
+from pyramid.httpexceptions import HTTPForbidden, HTTPUnauthorized
 from pyramid.util import object_description, takes_one_arg
 from pyramid.view import render_view_to_response
 from pyramid import renderers
@@ -329,7 +329,9 @@
                 'authdebug_message',
                 'Unauthorized: %s failed permission check' % view_name,
             )
-            raise HTTPForbidden(msg, result=result)
+            if Authenticated in result.principals:
+                raise HTTPForbidden(msg, result=result)
+            raise HTTPUnauthorized(msg)
 
         wrapped_view = secured_view
         wrapped_view.__call_permissive__ = view

--
Gitblit v1.9.3