🩹 GIS token creation: return 403 instead of 200 for invalid tokens

author: Étienne Loks <etienne.loks@iggdrasil.net> 2026-02-04 16:52:21 +0100
committer: Étienne Loks <etienne.loks@iggdrasil.net> 2026-02-04 16:54:00 +0100
commit: 50f9894c81233c3d1947c3723871af5cd5ab8154 (patch)
tree: acd672221b91e65ad8030bd2f2280fedd27b42f7
parent: dee8e1f730163110bf1d0a13c22d8659eca47bc7 (diff)
download: Ishtar-50f9894c81233c3d1947c3723871af5cd5ab8154.tar.bz2
Ishtar-50f9894c81233c3d1947c3723871af5cd5ab8154.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/ishtar_common/views.py b/ishtar_common/views.py
index e4846e824..545c4a413 100644
--- a/ishtar_common/views.py
+++ b/ishtar_common/views.py
@@ -52,6 +52,7 @@ from django.http import (
     Http404,
     HttpResponseRedirect,
     HttpResponseBadRequest,
+    HttpResponseForbidden,
     JsonResponse,
 )
 from django.shortcuts import redirect, render, get_object_or_404
@@ -1598,7 +1599,7 @@ def gis_create_token(request, request_key, app_key):
     # prevent brut force of bots?
     q = models_rest.UserRequestToken.objects.filter(key=request_key)
     if not q.count():
-        return HttpResponse(content_type="text/plain")
+        return HttpResponseForbidden()
     client_ip, __ = get_client_ip(request)
     token = q.all()[0].generate_token(app_key, from_ip=client_ip)
     return HttpResponse((token and token.key[7:]) or "", content_type="text/plain")
author	Étienne Loks <etienne.loks@iggdrasil.net>	2026-02-04 16:52:21 +0100
committer	Étienne Loks <etienne.loks@iggdrasil.net>	2026-02-04 16:54:00 +0100
commit	50f9894c81233c3d1947c3723871af5cd5ab8154 (patch)
tree	acd672221b91e65ad8030bd2f2280fedd27b42f7
parent	dee8e1f730163110bf1d0a13c22d8659eca47bc7 (diff)
download	Ishtar-50f9894c81233c3d1947c3723871af5cd5ab8154.tar.bz2 Ishtar-50f9894c81233c3d1947c3723871af5cd5ab8154.zip