Skip to content

unauthenticated requests in xml format return a 500 error

Sentry reported (example here) an AttributeError when a user tried to GET a g-event in xml format without providing authentication. Looking at the traceback in the browser:

Screenshot_2024-12-12_at_9.46.48_AM

"data" is a dictionary that has the rest_framework error in it, but since the error doesn't actually have the key error associated with it, it just goes down the same code path as if it were an event dictionary and so it throws the attribute error.

Even if Branson's error catching did catch it, the response would have still been broken. So basically this user exposed a 10+ year old bug.

What should happen is the user should get a 403 with an error message, preferably still in xml format so they can read it in the browser.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information