Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix secured views to avoid being applied to exception views #3741

Merged
merged 2 commits into from
Jan 29, 2024

Conversation

mmerickel
Copy link
Member

@mmerickel mmerickel commented Jan 29, 2024

fixes #3736

Found some scenarios in which an exception view was wrapped in secure views which is not intended after info.exception_only was added. The main issue encountered is that there were tests for info.exception_only and permission is None but actually a default exception view has permission == NO_PERMISSION_REQUIRED so this new logic normalizes that.

While in there, I was able to re-order a bunch of the logic to early-out quicker.

Because exception views are no longer involved in security checks, this avoids the issue ran into via #3736 where an invalid URL was tested, which shouldn't happen while processing any normal exception views.

@mmerickel mmerickel merged commit 8de7b1f into main Jan 29, 2024
32 checks passed
@mmerickel mmerickel deleted the fix-authdebug-view branch January 29, 2024 05:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

When pyramid.debug_authorization is enabled, invalid Unicode HTTP request raises URLDecodeError
1 participant