From 200bff896cb9f8b7c057ef22be317895a27ea8dc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Douglas=20Mendiz=C3=A1bal?= <dmendiza@redhat.com>
Date: Wed, 1 Sep 2021 15:57:54 -0500
Subject: [PATCH] Return 403 instead of 500 when policy check fails

This patch fixes an issue where a 500 response is sent instead of a 403
when a request is made using the wrong scope.  e.g.  Using project
scope instead of system scope.

Story: 2009170
Task: 43200

Change-Id: Id399d2220118efe1033426c658d1834cbff02f94
---
 barbican/api/__init__.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/barbican/api/__init__.py b/barbican/api/__init__.py
index b3d3f2069..fdd7b724e 100644
--- a/barbican/api/__init__.py
+++ b/barbican/api/__init__.py
@@ -96,7 +96,7 @@ def generate_safe_exception_message(operation_name, excep):
 
     try:
         raise excep
-    except policy.PolicyNotAuthorized:
+    except (policy.PolicyNotAuthorized, policy.InvalidScope):
         message = u._(
             '{operation} attempt not allowed - '
             'please review your '