From 17401a1b8f6e7f9eaeb01a128cfa2c1174c37a9e Mon Sep 17 00:00:00 2001
From: Dustin Ingram <di@users.noreply.github.com>
Date: Fri, 26 Jan 2018 10:07:11 -0600
Subject: [PATCH] Return empty response when include fails (#2846)

If the client side include fails for some reason, return an empty
response. For example, if there is a permissions error, don't redirect
to the login page, just show an empty view.
---
 tests/unit/test_views.py | 15 ++++++++++++++-
 warehouse/views.py       |  8 ++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/tests/unit/test_views.py b/tests/unit/test_views.py
index de8acdae7311..6197863ce43a 100644
--- a/tests/unit/test_views.py
+++ b/tests/unit/test_views.py
@@ -25,7 +25,7 @@
 from warehouse.views import (
     SEARCH_BOOSTS, SEARCH_FIELDS, current_user_indicator, forbidden, health,
     httpexception_view, index, robotstxt, opensearchxml, search, force_status,
-    flash_messages
+    flash_messages, forbidden_include
 )
 
 from ..common.db.accounts import UserFactory
@@ -147,6 +147,19 @@ def test_logged_out_redirects_login(self):
             "/accounts/login/?next=/foo/bar/%3Fb%3Ds"
 
 
+class TestForbiddenIncludeView:
+
+    def test_forbidden_include(self):
+        exc = pretend.stub()
+        request = pretend.stub()
+
+        resp = forbidden_include(exc, request)
+
+        assert resp.status_code == 200
+        assert resp.content_type == 'text/html'
+        assert resp.content_length == 0
+
+
 def test_robotstxt(pyramid_request):
     assert robotstxt(pyramid_request) == {}
     assert pyramid_request.response.content_type == "text/plain"
diff --git a/warehouse/views.py b/warehouse/views.py
index c157f502b587..f330900e900e 100644
--- a/warehouse/views.py
+++ b/warehouse/views.py
@@ -125,6 +125,14 @@ def forbidden(exc, request, redirect_to="accounts.login"):
     return httpexception_view(exc, request)
 
 
+@forbidden_view_config(path_info=r"^/_includes/")
+@exception_view_config(PredicateMismatch, path_info=r"^/_includes/")
+def forbidden_include(exc, request):
+    # If the forbidden error is for a client-side-include, just return an empty
+    # response instead of redirecting
+    return Response()
+
+
 @view_config(
     route_name="robots.txt",
     renderer="robots.txt",