@@ -640,6 +640,13 @@ def handle_preflight(self):
640640 self .setHeader ("Content-Length" , str (len (output )))
641641 self .write (output )
642642
643+ def reject_request (self , message , message_type = "text/plain" ,
644+ status = http_ .client .UNAUTHORIZED ):
645+ self .response_code = status
646+ self .setHeader ("Content-Length" , str (len (message )))
647+ self .setHeader ("Content-Type" , message_type )
648+ self .write (message )
649+
643650 def handle_rest (self ):
644651 # Set the charset and language
645652 self .determine_charset ()
@@ -652,31 +659,26 @@ def handle_rest(self):
652659 self .db .tx_Source = "rest"
653660 self .db .i18n = self .translator
654661 except LoginError as err :
655- self .response_code = http_ .client .UNAUTHORIZED
656662 output = s2b ("Invalid Login - %s" % str (err ))
657- self .setHeader ("Content-Length" , str (len (output )))
658- self .setHeader ("Content-Type" , "text/plain" )
659- self .write (output )
663+ self .reject_request (output , status = http_ .client .UNAUTHORIZED )
660664 return
661665
662666 # verify Origin is allowed on all requests including GET.
663667 # If a GET, missing origin is allowed (i.e. same site GET request)
664668 if not self .is_origin_header_ok (api = True ):
665- # Use code 400. Codes 401 and 403 imply that authentication
666- # is needed or authenticated person is not authorized.
667- # Preflight doesn't do authentication.
668- self .response_code = 400
669-
670669 if 'HTTP_ORIGIN' not in self .env :
671670 msg = self ._ ("Required Header Missing" )
672671 else :
673672 msg = self ._ ("Client is not allowed to use Rest Interface." )
674673
674+ # Use code 400. Codes 401 and 403 imply that authentication
675+ # is needed or authenticated person is not authorized.
676+ # Preflight doesn't do authentication.
675677 output = s2b (
676678 '{ "error": { "status": 400, "msg": "%s" } }' % msg )
677- self .setHeader ( "Content-Length" , str ( len ( output )))
678- self . setHeader ( "Content-Type" , "application/json" )
679- self . write ( output )
679+ self .reject_request ( output ,
680+ message_type = "application/json" ,
681+ status = 400 )
680682 return
681683
682684 # Handle CORS preflight request. We know rest is enabled
@@ -686,11 +688,10 @@ def handle_rest(self):
686688 self .handle_preflight ()
687689 return
688690 elif not self .db .security .hasPermission ('Rest Access' , self .userid ):
689- self .response_code = 403
690691 output = s2b ('{ "error": { "status": 403, "msg": "Forbidden." } }' )
691- self .setHeader ( "Content-Length" , str ( len ( output )))
692- self . setHeader ( "Content-Type" , "application/json" )
693- self . write ( output )
692+ self .reject_request ( output ,
693+ message_type = "application/json" ,
694+ status = 403 )
694695 return
695696
696697 self .check_anonymous_access ()
@@ -703,14 +704,13 @@ def handle_rest(self):
703704 # Must check supplied Origin header for bad value first.
704705 csrf_ok = self .handle_csrf (api = True )
705706 except (Unauthorised , UsageError ) as msg :
706- # FIXME should return what the client requests
707- # via accept header.
707+ # FIXME should format return value according to
708+ # client's accept header, so application/xml, text/plain etc. .
708709 output = s2b ('{ "error": { "status": 400, "msg": "%s"}}' %
709710 str (msg ))
710- self .response_code = 400
711- self .setHeader ("Content-Length" , str (len (output )))
712- self .setHeader ("Content-Type" , "application/json" )
713- self .write (output )
711+ self .reject_request (output ,
712+ message_type = "application/json" ,
713+ status = 400 )
714714 csrf_ok = False # we had an error, failed check
715715 return
716716
0 commit comments