Split interceptors of security errors and server errors.

ajenti-core/aj/api/endpoint.py

@@ -85,7 +85,7 @@ def wrapper(self, context, *args, **kwargs):
                 logging.debug(f'Endpoint return at {context.path}: {e.code}')
                 status = e.code
                 result = e.data
-            except (EndpointError, SecurityError) as e:
+            except EndpointError as e:
                 logging.warning(f'Endpoint error at {context.path}: {e.message}')
                 if page:
                     raise
@@ -95,6 +95,12 @@ def wrapper(self, context, *args, **kwargs):
                     'exception': str(e.__class__.__name__),
                     'traceback': str(getattr(e, 'traceback_str', '')),
                 }
+            except SecurityError as e:
+                logging.warning(f'Security error at {context.path}: {e.message}')
+                if page:
+                    raise
+                status  = 403
+                result = "Forbidden"
             # pylint: disable=W0703
             except Exception as e:
                 logging.error(f'Unhandled endpoint error at {context.path}')

ajenti-core/aj/auth.py

@@ -25,7 +25,7 @@ def __str__(self):
 class SecurityError(Exception):
     def __init__(self, permission):
         Exception.__init__(self)
-        self.message = f'Permission "{permission}" is required'
+        self.message = f'Forbidden: permission "{permission}" is required'
 
     def __str__(self):
         return self.message

ajenti-core/aj/routing.py

@@ -100,12 +100,8 @@ def handle(self, http_context):
             try:
                 output = instance.handle(http_context)
             except SecurityError as e:
-                http_context.respond_server_error()
-                result = {
-                    'message': str(e.message),
-                    'exception': "SecurityError",
-                }
-                return json.dumps(result)
+                http_context.respond_forbidden()
+                return str(e.message)
             # pylint: disable=W0703
             except Exception as e:
                 return [self.respond_error(http_context, e)]

plugins/core/resources/js/core/interceptors.es

@@ -1,16 +1,23 @@
 angular.module('core').factory('unauthenticatedInterceptor', ($q, $rootScope, $location, $window, notify, urlPrefix, messagebox, gettext) =>
     ({
         responseError: (rejection) => {
-            if (rejection.status === 500 && rejection.data.exception === 'SecurityError') {
-                notify.error(gettext('Security error'), rejection.data.message);
-            } else if (rejection.status === 500 && rejection.data.exception !== 'EndpointError') {
-                messagebox.show({
-                    title: gettext('Server error'),
-                    data: rejection,
-                    template: '/core:resources/partial/serverErrorMessage.html',
-                    scrollable: true,
-                    negative: gettext('Close')
-                });
+            if (rejection.status === 500) {
+                if (rejection.data.exception === 'SecurityError') {
+                    // Should not happen again
+                    notify.error(gettext('Security error'), rejection.data.message);
+                } else if (rejection.data.exception !== 'EndpointError') {
+                    messagebox.show({
+                        title: gettext('Server error'),
+                        data: rejection,
+                        template: '/core:resources/partial/serverErrorMessage.html',
+                        scrollable: true,
+                        negative: gettext('Close')
+                    });
+                }
+
+            } else if (rejection.status === 403) {
+                notify.error(gettext('Security error'), rejection.data);
+
             } else if (rejection.status === 401) {
                 if ($rootScope.disableExpiredSessionInterceptor || $location.path().indexOf(`${urlPrefix}/view/login`) === 0) {
                     return $q.reject(rejection);