actually 404-ing valid requests but non-existing resource

Issue #684

2 files changed, 18 insertions, 1 deletions

diff --git a/service/pixelated/resources/root_resource.py b/service/pixelated/resources/root_resource.py
index 54fe7b4a..504d156d 100644
--- a/service/pixelated/resources/root_resource.py
+++ b/service/pixelated/resources/root_resource.py
@@ -31,6 +31,7 @@ from pixelated.resources.mail_resource import MailResource
 from pixelated.resources.mails_resource import MailsResource
 from pixelated.resources.tags_resource import TagsResource
 from pixelated.resources.keys_resource import KeysResource
+from twisted.web.resource import NoResource
 from twisted.web.static import File
 
 from pixelated.resources.users import UsersResource
@@ -139,4 +140,4 @@ class ChildResourcesMap(object):
         self._registry[path] = resource
 
     def get(self, path):
-        return self._registry.get(path)
+        return self._registry.get(path) or NoResource()
diff --git a/service/test/unit/resources/test_root_resource.py b/service/test/unit/resources/test_root_resource.py
index 0e963f02..4ff11ce8 100644
--- a/service/test/unit/resources/test_root_resource.py
+++ b/service/test/unit/resources/test_root_resource.py
@@ -103,6 +103,22 @@ class TestRootResource(unittest.TestCase):
         d.addCallback(assert_unauthorized)
         return d
 
+    def test_should_404_non_existing_resource_with_valid_csrf(self):
+        request = DummyRequest(['/non-existing-child'])
+        request.method = 'POST'
+        self._mock_ajax_csrf(request, 'stubbed csrf token')
+
+        request.getCookie = MagicMock(return_value='stubbed csrf token')
+
+        d = self.web.get(request)
+
+        def assert_not_found(_):
+            self.assertEqual(404, request.responseCode)
+            self.assertIn("No Such Resource", request.written[0])
+
+        d.addCallback(assert_not_found)
+        return d
+
     def test_should_authorize_child_resource_non_ajax_GET_requests(self):
         request = DummyRequest(['features'])