Ticket #9847: 9847.diff

django/conf/urls/defaults.py

@@ -1 +1 @@
 from django.core.urlresolvers import RegexURLPattern, RegexURLResolver
 from django.core.exceptions import ImproperlyConfigured
 
-__all__ = ['handler404', 'handler500', 'include', 'patterns', 'url']
+__all__ = ['handler403', 'handler404', 'handler500', 'include', 'patterns', 'url']
 
+handler403 = 'django.views.defaults.permission_denied'
 handler404 = 'django.views.defaults.page_not_found'
 handler500 = 'django.views.defaults.server_error'
 

django/core/urlresolvers.py

@@ -295 +295 @@
         except (ImportError, AttributeError), e:
             raise ViewDoesNotExist("Tried %s. Error was: %s" % (callback, str(e)))
 
+    def resolve403(self):
+        return self._resolve_special('403')
+
     def resolve404(self):
         return self._resolve_special('404')
 

django/core/handlers/base.py

@@ -131 +131 @@
                         finally:
                             receivers = signals.got_request_exception.send(sender=self.__class__, request=request)
             except exceptions.PermissionDenied:
-                return http.HttpResponseForbidden('<h1>Permission denied</h1>')
+                try: 
+                    callback, param_dict = resolver.resolve403() 
+                    return callback(request, **param_dict) 
+                except: 
+                    return http.HttpResponseForbidden('<h1>403 Forbidden</h1>')
             except SystemExit:
                 # Allow sys.exit() to actually exit. See tickets #1023 and #4701
                 raise

django/views/defaults.py

@@ -1 +1 @@
 from django import http
 from django.template import Context, RequestContext, loader
 
+def permission_denied(request, template_name='403.html'): 
+    t = loader.get_template(template_name) # You need to create a 403.html template. 
+    return http.HttpResponseForbidden(t.render(Context({'request_path': request.path}))) 
+
 def page_not_found(request, template_name='404.html'):
     """
     Default 404 handler.

tests/regressiontests/views/tests/debug.py

@@ -1 +1 @@
 import inspect
+from os import path, remove
 
 from django.conf import settings
 from django.core.files.uploadedfile import SimpleUploadedFile
@@ -30 +31 @@
         self.failUnless('file_data.txt' in response.content)
         self.failIf('haha' in response.content)
 
+    def test_403(self):
+        # Can't use NamedTemporaryFile since it has to be in ../templates
+
+        # Create a 403.html and check if it is served to us when a 403 is triggered
+        template_path = '../templates/403.html'
+        if not path.exists(template_path):
+            FILE = open(template_path)
+            FILE.write('This is a test template for a 403 Forbidden error.')
+            FILE.close()
+        self.failIf(not path.exists(template_path)
+        response_with_template = self.client.get('/views/raises403')
+        self.assertEquals(response_with_template.status_code, 403)
+        self.failUnless('template' in response_with_template.content)
+        remove(template_path)
+        self.failIf(path.exists(template_path))
+
+        # See if the default thing happens when a 403 is triggered, and we *don't* have a 403.html
+        response_without_template = self.client.get('/views/raises403/')
+        self.assertEquals(response_without_template.status_code, 403)
+        self.failIf('template' in response_without_template.content)
+
     def test_404(self):
         response = self.client.get('/views/raises404/')
         self.assertEquals(response.status_code, 404)

tests/regressiontests/views/views.py

@@ -6 +6 @@
 from django.views.generic.create_update import create_object
 from django.core.urlresolvers import get_resolver
 from django.shortcuts import render_to_response
+from django.core.exceptions import PermissionDenied
 
 from regressiontests.views import BrokenException, except_args
 
@@ -44 +45 @@
     resolver = get_resolver(None)
     resolver.resolve('')
 
+def raises403(request):
+    raise PermissionDenied()
+
 def redirect(request):
     """
     Forces an HTTP redirect.
@@ -56 +60 @@
 def template_exception(request, n):
     return render_to_response('debug/template_exception.html',
         {'arg': except_args[int(n)]})
-

tests/regressiontests/views/urls.py

@@ -109 +109 @@
 urlpatterns += patterns('',
     (r'^raises/$', views.raises),
     (r'^raises404/$', views.raises404),
+    (r'^raises403/$', views.raises403),
 )
 
 # rediriects, both temporary and permanent, with non-ASCII targets

AUTHORS

@@ -430 +430 @@
     Ben Slavin <benjamin.slavin@gmail.com>
     sloonz <simon.lipp@insa-lyon.fr>
     Paul Smith <blinkylights23@gmail.com>
+    Steven L. Smith (fvox13) <steven@stevenlsmith.com>
     Warren Smith <warren@wandrsmith.net>
     smurf@smurf.noris.de
     Vsevolod Solovyov

docs/topics/http/views.txt

@@ -196 +196 @@
 That takes care of setting ``handler500`` in the current module. As you can see
 in ``django/conf/urls/defaults.py``, ``handler500`` is set to
 ``'django.views.defaults.server_error'`` by default.
+
+The 403 (HTTP Forbidden) view
+----------------------------
+
+In the same vein as the 404 and 500 views, Django has a view to handle 403 Forbidden
+errors. If a view results in a 403 exception, Django will, by default, call the view
+``django.views.defaults.permission_denied``, which loads and renders the template ``403.html``.
+
+If you do not provide a ``403.html`` template in your root template directory, this
+view will instead serve the text "403 Forbidden", as per RFC 2616 (the HTTP 1.1 Specification).
+
+It is possible to override ``django.views.defaults.permission_denied`` in much the same way you
+can for the 404 and 500 views.

docs/ref/exceptions.txt

@@ -48 +48 @@
 ----------------
 
 The ``PermissionDenied`` exception is raised when a user does not have
-permission to perform the action requested.
+permission to perform the action requested. It is equivalent to an HTTP 403 Error.
 
 ViewDoesNotExist
 ----------------