3108: APIErrors return 403 but do not log anything

inebri******@gmai***** (Google Code) (Is this you? Claim this profile.)
aquafemi 
What version are you running?
1.7.14

What's the URL of the page containing the problem?
rbtools API call

What steps will reproduce the problem?
1. Add local user with the following permissions:
reviews | comment | Can add comment
reviews | review | Can add review
reviews | review request | Can change status
reviews | review request | Can submit as another user
sessions | session | Can add session
2. Get a given review request using RBClient
3. review.submit()

What is the expected output? What do you see instead?
Expected output is something meaningful in the server-side logs, such as:
"PUT /api/review-requests/6422/ by user <username> failed: 403 - user does not have <name of permission>, cannot complete action"

Actual output is nothing - aside from the web server access log showing 403, nothing in the web server error log or the reviewboard log (set to level Debug) gives any indication as to why this action failed.

What operating system are you using? What browser?
CentOS 6.3 on the server. No browser.

Please provide any additional information below.
I added a local user to use in a deploy script that automatically submits reviews when they're merged to master. I gave the user the permissions listed above. When I use RBTools (python client) to try to submit a review request, I get back a traceback with:
rbtools.api.errors.APIError: You don't have permission for this (HTTP 403, API Error 101)

However there's nothing in either the web server log or the ReviewBoard debug-level log about this, either that there was a 403 API call, or any specifics of why it happened. I'd really like to see at least a log that it happened. With debug-level logging, I expect to see a message with the details of what happened, as well as what permission the user is missing to perform the required action.
david
#1 david
  • +Component-API
david
#2 david
  • -Type-Defect
    +Type-Enhancement
    +BetterErrors
david
#3 david 
Fixing all of these is hard, but fixing individual ones are easy.
  • +EasyFix
#4 just****@gmai***** (Google Code) (Is this you? Claim this profile.) 
Looking into this for an Easy Bug fix.
--- Justin Maillet
#5 just****@gmai***** (Google Code) (Is this you? Claim this profile.) 
this bug is up for grabs again, I'm done working on it.
---- Justin Maillet
#7 tien*****@gmai***** (Google Code) (Is this you? Claim this profile.) 
can I work on this one?

Tien
#8 just****@gmai***** (Google Code) (Is this you? Claim this profile.) 
Go for it.
#9 tien*****@gmai***** (Google Code) (Is this you? Claim this profile.) 
I'm not sure if I completely understand this, but here is my attempt of reproducing this bug:
- Login as user A
- Create user B with permissions listed above
- Create a review request as user A
- Attempt to close the review request as user B through the RBT tool, with:

rbt close --username (user B) --password (user B's password) --close-type submitted (request_id just created)

Result:
- Review request successfully gets closed

Am I misunderstanding something?
#10 tien*****@gmai***** (Google Code) (Is this you? Claim this profile.) 
can this be explained more clearly?

2. Get a given review request using RBClient
3. review.submit()
#11 calvinshin 
I am currently working on this bug.
#12 calvinshin
  • +calvinshin
#13 calvinshin
  • -calvinshin
#14 aquafemi
  • +aquafemi
david
#15 david 
Fixes applied in djblets release-0.9.x (1e20466) and reviewboard release-2.5.x (0c3e9fd). This will ship in 2.5.4. Thanks!
  • -New
    +Fixed