From 6796699e35cf32194ef46f546c1648c178adcc3b Mon Sep 17 00:00:00 2001
From: Jakob Ketterl <jakob.ketterl@gmx.de>
Date: Sat, 27 Mar 2021 23:45:21 +0100
Subject: [PATCH] don't redirect XHR calls to the login page, 403 instead

---
 owrx/controllers/admin.py | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/owrx/controllers/admin.py b/owrx/controllers/admin.py
index 2ed0093..a6cf3ac 100644
--- a/owrx/controllers/admin.py
+++ b/owrx/controllers/admin.py
@@ -36,5 +36,11 @@ class AuthorizationMixin(object):
         if self.isAuthorized():
             super().handle_request()
         else:
-            target = "/login?{0}".format(parse.urlencode({"ref": self.request.path}))
-            self.send_redirect(target)
+            if (
+                "x-requested-with" in self.request.headers
+                and self.request.headers["x-requested-with"] == "XMLHttpRequest"
+            ):
+                self.send_response("{}", code=403)
+            else:
+                target = "/login?{0}".format(parse.urlencode({"ref": self.request.path}))
+                self.send_redirect(target)