Merge pull request odoo#611 from odoo-dev/saas-3-really-fix-session-e…

…xpired-fme [MERGE] http routing: fix handle_exception logic and _authenticate exceptions * Better separate JsonRequest and HttpRequest handling for exceptions, so each type of request handles exception the right way. Previously HttpRequest would supersede JsonRequest in some cases and generate pure HTML responses where a JSON result was expected. * Also ensure that ir.http._authenticate() only raises two possible exception types, hiding any other kind of internal errors: - openerp.exceptions.AccessDenied - openerp.http.SessionExpiredException
LeartS · Jun 20, 2014 · e32cf31 · e32cf31
2 parents f855f1c + fef8077
commit e32cf31
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 13 deletions.
diff --git a/openerp/addons/base/ir/ir_http.py b/openerp/addons/base/ir/ir_http.py
@@ -71,17 +71,23 @@ def _auth_method_public(self):
             request.uid = request.session.uid
 
     def _authenticate(self, auth_method='user'):
-        if request.session.uid:
-            try:
-                request.session.check_security()
-                # what if error in security.check()
-                #   -> res_users.check()
-                #   -> res_users.check_credentials()
-            except (openerp.exceptions.AccessDenied, openerp.http.SessionExpiredException):
-                # All other exceptions mean undetermined status (e.g. connection pool full),
-                # let them bubble up
-                request.session.logout()
-        getattr(self, "_auth_method_%s" % auth_method)()
+        try:
+            if request.session.uid:
+                try:
+                    request.session.check_security()
+                    # what if error in security.check()
+                    #   -> res_users.check()
+                    #   -> res_users.check_credentials()
+                except (openerp.exceptions.AccessDenied, openerp.http.SessionExpiredException):
+                    # All other exceptions mean undetermined status (e.g. connection pool full),
+                    # let them bubble up
+                    request.session.logout()
+            getattr(self, "_auth_method_%s" % auth_method)()
+        except (openerp.exceptions.AccessDenied, openerp.http.SessionExpiredException):
+            raise
+        except Exception:
+            _logger.exception("Exception during request Authentication.")
+            raise openerp.exceptions.AccessDenied()
         return auth_method
 
     def _handle_exception(self, exception):

diff --git a/openerp/http.py b/openerp/http.py
@@ -208,8 +208,6 @@ def _handle_exception(self, exception):
            to abitrary responses. Anything returned (except None) will
            be used as response.""" 
         self._failed = exception # prevent tx commit
-        if isinstance(exception, werkzeug.exceptions.HTTPException):
-            return exception
         raise
 
     def _call_function(self, *args, **kwargs):
@@ -456,6 +454,15 @@ def __init__(self, *args):
         params.pop('session_id', None)
         self.params = params
 
+    def _handle_exception(self, exception):
+        """Called within an except block to allow converting exceptions
+           to abitrary responses. Anything returned (except None) will
+           be used as response."""
+        try:
+            return super(HttpRequest, self)._handle_exception(exception)
+        except werkzeug.exceptions.HTTPException, e:
+            return e
+
     def dispatch(self):
         # TODO: refactor this correctly. This is a quick fix for pos demo.
         if request.httprequest.method == 'OPTIONS' and request.func and request.func.routing.get('cors'):