API: Make exceptions concrete & include msg

[ebroda]

Description of the issue

As of #1829 I simply got a PermissionDenied. I wanted to create new table and had never done that before, so I was not sure what was the problem. I checked the code, and there are three possible reasons why the request failed:

oeplatform/api/views.py

Lines 410 to 417 in be12447

	if schema not in PLAYGROUNDS and schema not in UNVERSIONED_SCHEMAS:
	raise PermissionDenied
	if schema.startswith("_"):
	raise PermissionDenied
	if request.user.is_anonymous:
	raise PermissionDenied
	if actions.has_table(dict(schema=schema, table=table), {}):
	raise APIError("Table already exists")

And there's also a case where a specific exception is thrown.

Ideas of solution

If it's not by intention, to provide less information for attackers, I'd suggest to include more concrete exceptions with a message, explaining the problem.

Concrete example for the one above:

if schema not in PLAYGROUNDS and schema not in UNVERSIONED_SCHEMAS:
    raise APIError('Schema is not in allowed set of schemes for upload')
if schema.startswith("_"):
    raise APIError('Schema starts with _, which is not allowed')
if request.user.is_anonymous:
    raise APIError('User is anonymous', 401)
if actions.has_table(dict(schema=schema, table=table), {}):
    raise APIError("Table already exists", 409)

With that I'm able to check out, okay, I should have a look at this aspect.

If you're basically fine with that change, I could add a PR for that.

Workflow checklist

• I am aware of the workflow in CONTRIBUTING.md

[jh-RLI]

Sorry for the late reply. I have no problem with it. You can send the PR if you want :)

I think there was some concern about certain things some time ago, but currently I think it's better to make it understandable instead of trying to hide such things from attackers. The data is backed up regularly and should be quite secure, we don't store a lot of user data. I don't think there is much to be gained by attacking the oeplatform.