hove-io · xlqian · Jan 24, 2023 · Jan 24, 2023 · Jan 24, 2023 · Jan 24, 2023
diff --git a/source/jormungandr/jormungandr/instance_manager.py b/source/jormungandr/jormungandr/instance_manager.py
@@ -303,6 +303,10 @@ def get_instances(self, name=None, lon=None, lat=None, object_id=None, api='ALL'
 
         # fetch all the authorized instances (free + private) using cached function has_access()
         authorized_instances = self._get_authorized_instances(user, api)
+        if not authorized_instances:
+            # user doesn't have access to any of the instances
+            context = 'User has no access to any instance'
+            authentication.abort_request(user=user, context=context)
 
         # Filter instances among instances in authorized_instances
         if name:
@@ -317,7 +321,7 @@ def get_instances(self, name=None, lon=None, lat=None, object_id=None, api='ALL'
         if not valid_instances:
             # user doesn't have access to any of the instances
             context = 'User has no access to any instance or instance doesn' 't exist'
-            authentication.abort_request(user=authentication.get_user(None), context=context)
+            authentication.abort_request(user=user, context=context)
         else:
             return valid_instances
 

diff --git a/source/jormungandr/tests/authentication_tests.py b/source/jormungandr/tests/authentication_tests.py
@@ -251,9 +251,9 @@ def test_status_code(self):
             # stopA and stopB and in main routing test, all is ok
             ('/v1/journeys?from=stopA&to=stopB&datetime=20120614T080000', 200),
             # stop1 is in departure board -> KO
-            ('/v1/journeys?from=stopA&to=stop2&datetime=20120614T080000', 403),
+            ('/v1/journeys?from=stopA&to=stop2&datetime=20120614T080000', 404),
             # stop1 and stop2 are in departure board -> KO
-            ('/v1/journeys?from=stop1&to=stop2&datetime=20120614T080000', 403),
+            ('/v1/journeys?from=stop1&to=stop2&datetime=20120614T080000', 404),
         ]
 
         with user_set(app, FakeUserAuth, 'bob'):
@@ -262,15 +262,15 @@ def test_status_code(self):
 
     def test_unkown_region(self):
         """
-        the authentication process must not mess if the region is not found
+        the authentication process prevails even if the region is not found
         """
         with user_set(app, FakeUserAuth, 'bob'):
             r, status = self.query_no_assert('/v1/coverage/the_marvelous_unknown_region/stop_areas')
 
-            assert status == 404
-            assert 'error' in r
+            assert status == 403
+            assert 'message' in r
             assert (
-                get_not_null(r, 'error')['message'] == "The region the_marvelous_unknown_region doesn't exists"
+                r['message'] == "You don't have the permission to access the requested resource. It is either read-protected or not readable by the server."
             )
 
 
@@ -419,7 +419,7 @@ def test_journeys_for_tgv(self):
             response = self.query('/v1/journeys?from=stopA&to=stopB&datetime=20120614T080000')
             assert 'error' not in response
             _, status = self.query_no_assert('/v1/journeys?from=stop1&to=stop2&datetime=20120614T080000')
-            assert status == 403
+            assert status == 404
 
             _, status = self.query_no_assert(
                 '/v1/coverage/empty_routing_test/journeys?from=stop1&to=stop2&datetime=20120614T080000'
@@ -444,9 +444,9 @@ def test_journeys_for_bobette(self):
         """
         with user_set(app, FakeUserAuth, 'bobette'):
             response, status = self.query_no_assert('/v1/journeys?from=stopA&to=stopB&datetime=20120614T080000')
-            assert status == 403
+            assert status == 404
             response, status = self.query_no_assert('/v1/journeys?from=stop1&to=stop2&datetime=20120614T080000')
-            assert status == 403
+            assert status == 404
 
             response, status = self.query_no_assert(
                 '/v1/journeys?from={from_coord}&to={to_coord}&datetime={d}'.format(

diff --git a/source/jormungandr/tests/graphical_isochrones_tests.py b/source/jormungandr/tests/graphical_isochrones_tests.py
@@ -294,8 +294,11 @@ def test_graphical_isochrones_no_region(self):
         q = "v1/coverage/isochrones"
         normal_response, error_code = self.query_no_assert(q)
 
-        assert error_code == 404
-        assert normal_response['error']['message'] == 'The region isochrones doesn\'t exists'
+        assert error_code == 403
+        assert 'message' in normal_response
+        assert (
+            normal_response['message'] == "You don't have the permission to access the requested resource. It is either read-protected or not readable by the server."
+        )
 
     def test_graphical_isochrones_invalid_duration(self):
         q = "v1/coverage/main_routing_test/isochrones?datetime={}&from={}&max_duration={}"

diff --git a/source/jormungandr/tests/heat_maps_tests.py b/source/jormungandr/tests/heat_maps_tests.py
@@ -174,8 +174,11 @@ def test_heat_maps_no_region(self):
         q = "v1/coverage/heat_maps"
         normal_response, error_code = self.query_no_assert(q)
 
-        assert error_code == 404
-        assert normal_response['error']['message'] == 'The region heat_maps doesn\'t exists'
+        assert error_code == 403
+        assert 'message' in normal_response
+        assert (
+            normal_response['message'] == "You don't have the permission to access the requested resource. It is either read-protected or not readable by the server."
+        )
 
     def test_heat_maps_invalid_duration(self):
         q = "v1/coverage/main_routing_test/heat_maps?datetime={}&from={}&max_duration={}"

diff --git a/source/jormungandr/tests/journey_common_tests.py b/source/jormungandr/tests/journey_common_tests.py
@@ -1464,18 +1464,20 @@ def test_with_region(self):
 
         assert status != 200, "the response should not be valid"
 
-        assert response['error']['id'] == "unknown_object"
-        assert response['error']['message'] == "The region non_existent_region doesn't exists"
+        assert 'message' in response
+        assert (
+            response['message'] == "You don't have the permission to access the requested resource. It is either read-protected or not readable by the server."
+        )
 
     def test_no_region(self):
         response, status = self.query_no_assert("v1/" + journey_basic_query)
 
         assert status != 200, "the response should not be valid"
 
-        assert response['error']['id'] == "unknown_object"
-
-        error_regexp = re.compile('^No region available for the coordinates.*')
-        assert error_regexp.match(response['error']['message'])
+        assert 'message' in response
+        assert (
+            response['message'] == "You don't have the permission to access the requested resource. It is either read-protected or not readable by the server."
+        )
 
 
 @dataset({"basic_routing_test": {}})