From 734b45dc67671ab7b561239887d5a21459ddedd1 Mon Sep 17 00:00:00 2001
From: azivner <adam.zivner@gmail.com>
Date: Sat, 30 Sep 2017 18:38:22 -0400
Subject: [PATCH] returning 401 for unauthorized API calls while redirecting to
 /login for unauthorized page access

---
 TODO       | 5 ++++-
 src/app.py | 7 +++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/TODO b/TODO
index b12d43b8e..d9d3e5043 100644
--- a/TODO
+++ b/TODO
@@ -1,4 +1,7 @@
 - logout detection
 - conflict detection
   - note title and content changes are not in audit_log table
-- deleting cloned nodes ends with 500 (probably only on folders)
\ No newline at end of file
+- deleting cloned nodes ends with 500 (probably only on folders)
+- what links here
+- recent changes - link to note should lead to the revision
+- db upgrade / migration
diff --git a/src/app.py b/src/app.py
index c1c003003..b3d430990 100644
--- a/src/app.py
+++ b/src/app.py
@@ -101,6 +101,13 @@ def load_user(user_id):
     else:
         return None
 
+@login_manager.unauthorized_handler
+def unauthorized_handler():
+    if request.path.startswith('/api'):
+        return 'Unauthorized', 401
+    else:
+        return redirect('/login')
+
 if __name__ == "__main__":
     ssl_context = None