Converted many cases of plain-text 403 messages to use a properly styled page instead, with a login link when appropriate. Also changed some API endpoint 400 responses to a more correct 403.

 - Legacy-Id: 18339

Author: levkowetz

ietf/api/tests.py

@@ -83,7 +83,7 @@ def test_api_set_session_video_url(self):
         badrole.person.user.last_login = timezone.now()
         badrole.person.user.save()
         r = self.client.post(url, {'apikey': badapikey.hash()} )
-        self.assertContains(r, "Restricted to role Recording Manager", status_code=403)
+        self.assertContains(r, "Restricted to role: Recording Manager", status_code=403)
 
         r = self.client.post(url, {'apikey': apikey.hash()} )
         self.assertContains(r, "Too long since last regular login", status_code=400)
@@ -173,7 +173,7 @@ def test_api_upload_bluesheet(self):
         badrole.person.user.last_login = timezone.now()
         badrole.person.user.save()
         r = self.client.post(url, {'apikey': badapikey.hash()} )
-        self.assertContains(r, "Restricted to roles Recording Manager, Secretariat", status_code=403)
+        self.assertContains(r, "Restricted to roles: Recording Manager, Secretariat", status_code=403)
 
         r = self.client.post(url, {'apikey': apikey.hash()} )
         self.assertContains(r, "Too long since last regular login", status_code=400)
@@ -257,7 +257,7 @@ def test_api_v2_person_export_view(self):
         badrole.person.user.last_login = timezone.now()
         badrole.person.user.save()
         r = self.client.post(url, {'apikey': badapikey.hash()})
-        self.assertContains(r, "Restricted to role Secretariat", status_code=403)
+        self.assertContains(r, "Restricted to role: Secretariat", status_code=403)
 
         r = self.client.post(url, {'apikey': apikey.hash()})
         self.assertContains(r, "Too long since last regular login", status_code=400)
@@ -292,7 +292,7 @@ def test_api_new_meeting_registration(self):
             }
         url = urlreverse('ietf.api.views.api_new_meeting_registration')
         r = self.client.post(url, reg)
-        self.assertContains(r, 'Invalid apikey', status_code=400)
+        self.assertContains(r, 'Invalid apikey', status_code=403)
         oidcp = PersonFactory(user__is_staff=True)
         # Make sure 'oidcp' has an acceptable role
         RoleFactory(name_id='robot', person=oidcp, email=oidcp.email(), group__acronym='secretariat')

ietf/community/views.py

@@ -7,7 +7,7 @@
 import json
 import uuid
 
-from django.http import HttpResponse, HttpResponseForbidden, HttpResponseRedirect, Http404
+from django.http import HttpResponse, HttpResponseRedirect, Http404
 from django.shortcuts import get_object_or_404, render
 from django.contrib.auth.decorators import login_required
 from django.utils.html import strip_tags
@@ -21,6 +21,7 @@
 from ietf.community.utils import states_of_significant_change, reset_name_contains_index_for_rule
 from ietf.doc.models import DocEvent, Document
 from ietf.doc.utils_search import prepare_document_table
+from ietf.utils.response import permission_denied
 
 def view_list(request, username=None):
     clist = lookup_community_list(username)
@@ -45,7 +46,7 @@ def manage_list(request, username=None, acronym=None, group_type=None):
     clist = lookup_community_list(username, acronym)
 
     if not can_manage_community_list(request.user, clist):
-        return HttpResponseForbidden("You do not have permission to access this view")
+        permission_denied(request, "You do not have permission to access this view")
 
     action = request.POST.get('action')
 
@@ -129,7 +130,7 @@ def track_document(request, name, username=None, acronym=None):
     if request.method == "POST":
         clist = lookup_community_list(username, acronym)
         if not can_manage_community_list(request.user, clist):
-            return HttpResponseForbidden("You do not have permission to access this view")
+            permission_denied(request, "You do not have permission to access this view")
 
         if clist.pk is None:
             clist.save()
@@ -151,7 +152,7 @@ def untrack_document(request, name, username=None, acronym=None):
     doc = get_object_or_404(Document, docalias__name=name)
     clist = lookup_community_list(username, acronym)
     if not can_manage_community_list(request.user, clist):
-        return HttpResponseForbidden("You do not have permission to access this view")
+        permission_denied(request, "You do not have permission to access this view")
 
     if request.method == "POST":
         if clist.pk is not None:

ietf/dbtemplate/views.py

@@ -1,4 +1,6 @@
-from django.http import HttpResponseForbidden, HttpResponseRedirect
+# Copyright The IETF Trust 2012-2020, All Rights Reserved
+
+from django.http import HttpResponseRedirect
 from django.shortcuts import get_object_or_404, render
 
 import debug                            # pyflakes:ignore
@@ -7,13 +9,14 @@
 from ietf.dbtemplate.forms import DBTemplateForm
 from ietf.group.models import Group
 from ietf.ietfauth.utils import has_role
+from ietf.utils.response import permission_denied
 
 
 def group_template_list(request, acronym):
     group = get_object_or_404(Group, acronym=acronym)
     chairs = group.role_set.filter(name__slug='chair')
     if not has_role(request.user, "Secretariat") and not (request.user.id and chairs.filter(person__user=request.user).count()):
-        return HttpResponseForbidden("You are not authorized to access this view")
+        permission_denied(request, "You are not authorized to access this view.")
 
     template_list = DBTemplate.objects.filter(group=group)
     return render(request, 'dbtemplate/template_list.html',
@@ -28,7 +31,7 @@ def group_template_edit(request, acronym, template_id, base_template='dbtemplate
     extra_context = extra_context or {}
 
     if not has_role(request.user, "Secretariat") and not (request.user.id and chairs.filter(person__user=request.user).count()):
-        return HttpResponseForbidden("You are not authorized to access this view")
+        permission_denied(request, "You are not authorized to access this view.")
 
     template = get_object_or_404(DBTemplate, id=template_id, group=group)
     if request.method == 'POST':
@@ -52,7 +55,7 @@ def group_template_show(request, acronym, template_id, base_template='dbtemplate
     extra_context = extra_context or {}
 
     if not has_role(request.user, "Secretariat") and not (request.user.id and chairs.filter(person__user=request.user).count()):
-        return HttpResponseForbidden("You are not authorized to access this view")
+        permission_denied(request, "You are not authorized to access this view.")
 
     template = get_object_or_404(DBTemplate, id=template_id, group=group)
 

ietf/doc/tests_ballot.py

@@ -739,7 +739,7 @@ def test_ballot_downref_approve(self):
         # Only Secretariat can use this URL
         login_testing_unauthorized(self, "ad", url)
         r = self.client.get(url)
-        self.assertContains(r, "Restricted to role Secretariat", status_code=403)
+        self.assertContains(r, "Restricted to role: Secretariat", status_code=403)
 
         # There are no downrefs, the page should say so
         login_testing_unauthorized(self, "secretary", url)

ietf/doc/views_ballot.py

@@ -8,7 +8,7 @@
 
 from django import forms
 from django.conf import settings
-from django.http import HttpResponse, HttpResponseForbidden, HttpResponseRedirect, Http404
+from django.http import HttpResponse, HttpResponseRedirect, Http404
 from django.shortcuts import render, get_object_or_404, redirect
 from django.template.defaultfilters import striptags
 from django.template.loader import render_to_string
@@ -28,6 +28,7 @@
     generate_issue_ballot_mail, generate_ballot_writeup, generate_ballot_rfceditornote,
     generate_approval_mail, email_irsg_ballot_closed, email_irsg_ballot_issued )
 from ietf.doc.lastcall import request_last_call
+from ietf.doc.templatetags.ietf_filters import can_ballot
 from ietf.iesg.models import TelechatDate
 from ietf.ietfauth.utils import has_role, role_required, is_authorized_in_doc_stream
 from ietf.mailtrigger.utils import gather_address_lists
@@ -38,7 +39,7 @@
 from ietf.utils import log
 from ietf.utils.mail import send_mail_text, send_mail_preformatted
 from ietf.utils.decorators import require_api_key
-from ietf.doc.templatetags.ietf_filters import can_ballot
+from ietf.utils.response import permission_denied
 
 BALLOT_CHOICES = (("yes", "Yes"),
                   ("noobj", "No Objection"),
@@ -213,7 +214,7 @@ def edit_position(request, name, ballot_id):
         old_pos = None
         if not has_role(request.user, "Secretariat") and not can_ballot(request.user, doc):
             # prevent pre-ADs from voting
-            return HttpResponseForbidden("Must be a proper Area Director in an active area or IRSG Member to cast ballot")
+            permission_denied(request, "Must be a proper Area Director in an active area or IRSG Member to cast ballot")
 
         form = EditPositionForm(request.POST, ballot_type=ballot.ballot_type)
         if form.is_valid():
@@ -682,7 +683,7 @@ def ballot_rfceditornote(request, name):
     doc = get_object_or_404(Document, docalias__name=name)
 
     if not is_authorized_in_doc_stream(request.user, doc):
-        return HttpResponseForbidden("You do not have the necessary permissions to change the RFC Editor Note for this document")
+        permission_denied(request, "You do not have the necessary permissions to change the RFC Editor Note for this document")
 
     login = request.user.person
 

ietf/doc/views_charter.py

@@ -8,7 +8,7 @@
 import os
 import textwrap
 
-from django.http import HttpResponseRedirect, HttpResponseNotFound, HttpResponseForbidden, Http404
+from django.http import HttpResponseRedirect, HttpResponseNotFound, Http404
 from django.shortcuts import get_object_or_404, redirect, render
 from django.urls import reverse as urlreverse
 from django import forms
@@ -32,16 +32,17 @@
     change_group_state_after_charter_approval, fix_charter_revision_after_approval,
     split_charter_name)
 from ietf.doc.mails import email_state_changed, email_charter_internal_review
+from ietf.group.mails import email_admin_re_charter
 from ietf.group.models import Group, ChangeStateGroupEvent, MilestoneGroupEvent
 from ietf.group.utils import save_group_in_history, save_milestone_in_history, can_manage_group_type
+from ietf.group.views import fill_in_charter_info
 from ietf.ietfauth.utils import has_role, role_required
 from ietf.name.models import GroupStateName
 from ietf.person.models import Person
 from ietf.utils.history import find_history_active_at
 from ietf.utils.mail import send_mail_preformatted 
 from ietf.utils.textupload import get_cleaned_text_file_content
-from ietf.group.mails import email_admin_re_charter
-from ietf.group.views import fill_in_charter_info
+from ietf.utils.response import permission_denied
 
 class ChangeStateForm(forms.Form):
     charter_state = forms.ModelChoiceField(State.objects.filter(used=True, type="charter"), label="Charter state", empty_label=None, required=False)
@@ -70,7 +71,7 @@ def change_state(request, name, option=None):
     group = charter.group
 
     if not can_manage_group_type(request.user, group):
-        return HttpResponseForbidden("You don't have permission to access this view")
+        permission_denied(request, "You don't have permission to access this view.")
 
     chartering_type = get_chartering_type(charter)
 
@@ -261,7 +262,7 @@ def change_title(request, name, option=None):
     charter = get_object_or_404(Document, type="charter", name=name)
     group = charter.group
     if not can_manage_group_type(request.user, group):
-        return HttpResponseForbidden("You don't have permission to access this view")
+        permission_denied(request, "You don't have permission to access this view.")
     by = request.user.person
     if request.method == 'POST':
         form = ChangeTitleForm(request.POST, charter=charter)
@@ -374,7 +375,7 @@ def submit(request, name, option=None):
         charter_rev = "00-00"
 
     if not can_manage_group_type(request.user, group) or not group.features.has_chartering_process:
-        return HttpResponseForbidden("You don't have permission to access this view")
+        permission_denied(request, "You don't have permission to access this view.")
 
 
     path = os.path.join(settings.CHARTER_PATH, '%s-%s.txt' % (charter_canonical_name, charter_rev))

ietf/doc/views_doc.py

@@ -43,7 +43,7 @@
 
 from urllib.parse import quote
 
-from django.http import HttpResponse, Http404 , HttpResponseForbidden
+from django.http import HttpResponse, Http404
 from django.shortcuts import render, get_object_or_404, redirect
 from django.template.loader import render_to_string
 from django.urls import reverse as urlreverse
@@ -76,6 +76,7 @@
 from ietf.review.utils import can_request_review_of_doc, review_assignments_to_list_for_docs
 from ietf.review.utils import no_review_from_teams_on_doc
 from ietf.utils import markup_txt
+from ietf.utils.response import permission_denied
 from ietf.utils.text import maybe_split
 
 
@@ -1199,7 +1200,7 @@ def add_comment(request, name):
         can_add_comment = has_role(request.user, ("Area Director", "Secretariat", "IRTF Chair"))
     if not can_add_comment:
         # The user is a chair or secretary, but not for this WG or RG
-        return HttpResponseForbidden("You need to be a chair or secretary of this group to add a comment.")
+        permission_denied(request, "You need to be a chair or secretary of this group to add a comment.")
 
     if request.method == 'POST':
         form = AddCommentForm(request.POST)
@@ -1272,7 +1273,7 @@ def edit_notify(request, name):
     doc = get_object_or_404(Document, name=name)
 
     if not ( is_authorized_in_doc_stream(request.user, doc) or user_is_person(request.user, doc.shepherd and doc.shepherd.person) or has_role(request.user, ["Area Director"]) ):
-        return HttpResponseForbidden("You do not have permission to perform this action")
+        permission_denied(request, "You do not have permission to perform this action")
 
     init = { "notify" : doc.notify }