From 1e02102e5b7e709bae334ad9491828ae7e0e5533 Mon Sep 17 00:00:00 2001
From: Nikita Konovalov <nkonovalov@mirantis.com>
Date: Thu, 19 Jun 2014 13:41:38 +0400
Subject: [PATCH] 403 status code added

The API will now return 403 Forbidden when a non-admin user tries to
perform an admin action.

This code is required to handle auth errors correctly on the UI side and
not log off users on 403.

Change-Id: Ib684f6271b8ca8d460075e4f0c56fb754a965b7d
---
 storyboard/api/auth/authorization_checks.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/storyboard/api/auth/authorization_checks.py b/storyboard/api/auth/authorization_checks.py
index 6ebbfcf3..732a53f5 100644
--- a/storyboard/api/auth/authorization_checks.py
+++ b/storyboard/api/auth/authorization_checks.py
@@ -13,6 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+from pecan import abort
 from pecan import request
 
 from storyboard.api.auth.token_storage import storage
@@ -55,4 +56,7 @@ def superuser():
     token_info = token_storage.get_access_token_info(token)
     user = user_api.user_get(token_info.user_id)
 
+    if not user.is_superuser:
+        abort(403, "This action is limited to superusers only.")
+
     return user.is_superuser