From 22703dd5d47683ae2e9634be556d673823d63618 Mon Sep 17 00:00:00 2001
From: Thierry Parmentelat <thierry.parmentelat@sophia.inria.fr>
Date: Wed, 2 Feb 2011 16:34:21 +0100
Subject: [PATCH] do not delete session when node is trying to call a method
 that it is not allowed to

---
 PLC/Auth.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/PLC/Auth.py b/PLC/Auth.py
index 89e5ca1..37eab0f 100644
--- a/PLC/Auth.py
+++ b/PLC/Auth.py
@@ -132,6 +132,9 @@ class SessionAuth(Auth):
                 node = nodes[0]
 
                 if 'node' not in method.roles:
+                    # using PermissionDenied rather than AuthenticationFailure here because
+                    # if that fails we don't want to delete the session..
+                    raise PLCPermissionDenied, "SessionAuth: Not allowed to call method %s, missing 'node' role"%method.name
                     raise PLCAuthenticationFailure, "SessionAuth: Not allowed to call method %s, missing 'node' role"%method.name
 
                 method.caller = node
-- 
2.43.0