From 287de9f60a21c49dc751ef50061b798c68ee6f6f Mon Sep 17 00:00:00 2001
From: Stephen J Day <stephen.day@docker.com>
Date: Tue, 10 Feb 2015 15:19:02 -0800
Subject: [PATCH] Correctly return when repo name is not available

The branch that executes after a failed request authorization due to a missing
repo name now correctly returns an error. This is somewhat superficial since
the response would have already been executed. Although, unintended repository
operations may have occurred.

Documentations and comments have also been updated to be in line with
surrounding changes.

Signed-off-by: Stephen J Day <stephen.day@docker.com>
---
 registry/app.go | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/registry/app.go b/registry/app.go
index d2f9e2d94..817373f25 100644
--- a/registry/app.go
+++ b/registry/app.go
@@ -222,6 +222,7 @@ func (app *App) dispatcher(dispatch dispatchFunc) http.Handler {
 		}()
 
 		if err := app.authorized(w, r, context); err != nil {
+			ctxu.GetLogger(context).Errorf("error authorizing context: %v", err)
 			return
 		}
 
@@ -270,8 +271,8 @@ func (app *App) context(w http.ResponseWriter, r *http.Request) *Context {
 }
 
 // authorized checks if the request can proceed with access to the requested
-// repository. If it succeeds, the repository will be available on the
-// context. An error will be if access is not available.
+// repository. If it succeeds, the context may access the requested
+// repository. An error will be returned if access is not available.
 func (app *App) authorized(w http.ResponseWriter, r *http.Request, context *Context) error {
 	ctxu.GetLogger(context).Debug("authorizing request")
 	repo := getName(context)
@@ -319,17 +320,19 @@ func (app *App) authorized(w http.ResponseWriter, r *http.Request, context *Cont
 		route := mux.CurrentRoute(r)
 
 		if route == nil || route.GetName() != v2.RouteNameBase {
-			// For this to be properly secured, context.Name must always be set
-			// for a resource that may make a modification. The only condition
-			// under which name is not set and we still allow access is when the
-			// base route is accessed. This section prevents us from making that
-			// mistake elsewhere in the code, allowing any operation to proceed.
+			// For this to be properly secured, repo must always be set for a
+			// resource that may make a modification. The only condition under
+			// which name is not set and we still allow access is when the
+			// base route is accessed. This section prevents us from making
+			// that mistake elsewhere in the code, allowing any operation to
+			// proceed.
 			w.Header().Set("Content-Type", "application/json; charset=utf-8")
 			w.WriteHeader(http.StatusForbidden)
 
 			var errs v2.Errors
 			errs.Push(v2.ErrorCodeUnauthorized)
 			serveJSON(w, errs)
+			return fmt.Errorf("forbidden: no repository name")
 		}
 	}