Fix list of allowed verbs for failed (unauthorized) preflight

[jldiaz]

During preflight (OPTIONS verb) no Authorization headers can be
provided. Some apps (see for example this issue)
require these headers to determine the identity,
when solving a path and associating it with a model (eg: imagine that
the model is a User whose identity is in that header). Without that
information a sensible action for the path function is to raise
HTTPUnauthorized.

The problem is that more.cors treats that exception (and any exception)
in the same way during preflight: a 404 error is returned and no cors
headers. This prevents the browser to continue with the operation, which
could be otherwise legal.

This patch causes more.cors to return valid cors headers even if
the path function raised HTTPUnauthorized, instead of no cors headers.

[henri-hulski]

Thanks for looking into that issue.
Your solution looks fine to me.
There is just a minor pep8 issue:

more/cors/main.py:31:18: E711 comparison to None should be 'if cond is None:'
        if model == None:

It would also be good if you could add a test as we try to force 100% coverage.
With your patch line 32 and 99 of main.py are not covered.

[henri-hulski]

Great!

[henri-hulski]

@jldiaz I have released more.cors version 0.2.
Could you check if it works now?

[jldiaz]

Yes, the problem with the failed preflights is gone.