From cf38fedeccd03b303a7b53d474d4cfd63e99523f Mon Sep 17 00:00:00 2001
From: Serghei Mihai <smihai@entrouvert.com>
Date: Fri, 27 Mar 2015 16:22:55 +0100
Subject: [PATCH] handling unauthorized user login attempt

---
 ckanext/ozwillo_pyoidc/oidc.py   |  8 +++++---
 ckanext/ozwillo_pyoidc/plugin.py | 19 +++++++++++--------
 2 files changed, 16 insertions(+), 11 deletions(-)

diff --git a/ckanext/ozwillo_pyoidc/oidc.py b/ckanext/ozwillo_pyoidc/oidc.py
index 384a59d..1b827c7 100755
--- a/ckanext/ozwillo_pyoidc/oidc.py
+++ b/ckanext/ozwillo_pyoidc/oidc.py
@@ -63,9 +63,11 @@ class Client(oic.Client):
         """
         authresp = self.parse_response(AuthorizationResponse, response,
                                        sformat="dict", keyjar=self.keyjar)
-
-        if self.state != authresp['state']:
-            raise OIDCError("Invalid state %s." % authresp["state"])
+        try:
+            if self.state != authresp['state']:
+                raise OIDCError("Invalid state %s." % authresp["state"])
+        except AttributeError:
+            raise OIDCError("access denied")
 
         if isinstance(authresp, ErrorResponse):
             return OIDCError("Access denied")
diff --git a/ckanext/ozwillo_pyoidc/plugin.py b/ckanext/ozwillo_pyoidc/plugin.py
index a1f55e0..cd3304f 100755
--- a/ckanext/ozwillo_pyoidc/plugin.py
+++ b/ckanext/ozwillo_pyoidc/plugin.py
@@ -7,11 +7,12 @@ from ckan.common import session, c, request, response
 from ckan import model
 from ckan.logic.action.create import user_create, member_create
 import ckan.lib.base as base
+from ckan.lib.helpers import flash_error
 
 from pylons import config
 
 import conf
-from oidc import create_client
+from oidc import create_client, OIDCError
 
 plugin_config_prefix = 'ckanext.ozwillo_pyoidc.'
 
@@ -128,7 +129,14 @@ class OpenidController(base.BaseController):
     def callback(self):
         g = model.Group.get(session['organization_id'])
         client = Clients.get(g)
-        userinfo = client.callback(request.GET)
+        org_url = str(toolkit.url_for(controller="organization",
+                                      action='read',
+                                      id=g.name))
+        try:
+            userinfo = client.callback(request.GET)
+        except OIDCError, e:
+            flash_error('Login failed')
+            redirect_to(org_url, qualified=True)
         locale = None
         log.info('Received userinfo: %s' % userinfo)
 
@@ -137,12 +145,7 @@ class OpenidController(base.BaseController):
             if '-' in locale:
                 locale, country = locale.split('-')
 
-        org_url = str(toolkit.url_for(host=request.host,
-                                      controller="organization",
-                                      action='read',
-                                      id=g.name,
-                                      locale=locale,
-                                      qualified=True))
+        org_url = toolkit.url_for(org_url, locale=locale, qualified=True)
         if 'sub' in userinfo:
 
             userobj = model.User.get(userinfo['sub'])