From b6076491aa9f37daeb376ac56f8d39ebec3af0c2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20P=C3=A9ters?= <fpeters@entrouvert.com>
Date: Mon, 27 Jul 2015 18:43:27 +0200
Subject: [PATCH] xxx

---
 wcs/api.py           |  2 +-
 wcs/forms/root.py    | 16 ++++++++++++++--
 wcs/qommon/errors.py |  3 +++
 3 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/wcs/api.py b/wcs/api.py
index a400ae7..5df8c98 100644
--- a/wcs/api.py
+++ b/wcs/api.py
@@ -92,7 +92,7 @@ def get_user_from_api_query_string():
         if users:
             user = users[0]
         else:
-            raise AccessForbiddenError('unknown NameID')
+            raise UnknownNameIdAccessForbiddenError('unknown NameID')
 
     return user
 
diff --git a/wcs/forms/root.py b/wcs/forms/root.py
index 285dfad..e9b3037 100644
--- a/wcs/forms/root.py
+++ b/wcs/forms/root.py
@@ -1203,7 +1203,14 @@ class RootDirectory(AccessControlled, Directory):
 
     def json(self):
         from wcs.api import is_url_signed, get_user_from_api_query_string
-        user = get_user_from_api_query_string() or get_request().user
+        try:
+            user = get_user_from_api_query_string() or get_request().user
+        except errors.UnknownNameIdAccessForbiddenError:
+            # if authenticating the user via the query string failed, return
+            # results for the anonymous case; user is set to 'False' as a
+            # signed URL with a None user is considered like an appropriate
+            # webservice call.
+            user = False
         list_all_forms = (user and user.is_admin) or (is_url_signed() and user is None)
 
         list_forms = []
@@ -1293,7 +1300,12 @@ class RootDirectory(AccessControlled, Directory):
 
     def categories_json(self):
         from wcs.api import get_user_from_api_query_string
-        user = get_user_from_api_query_string() or get_request().user
+        try:
+            user = get_user_from_api_query_string() or get_request().user
+        except errors.UnknownNameIdAccessForbiddenError:
+            # the name id was unknown, return the categories for anonymous
+            # users.
+            user = None
         list_categories = []
         charset = get_publisher().site_charset
         categories = self.get_categories(user)
diff --git a/wcs/qommon/errors.py b/wcs/qommon/errors.py
index b64bb1f..d7c7dba 100644
--- a/wcs/qommon/errors.py
+++ b/wcs/qommon/errors.py
@@ -39,6 +39,9 @@ class AccessForbiddenError(AccessError):
                     location_hint = self.location_hint)
 
 
+class UnknownNameIdAccessForbiddenError(AccessForbiddenError):
+    pass
+
 class AccessUnauthorizedError(AccessForbiddenError):
     def render(self):
         session = quixote.get_session()
-- 
2.4.6