morepath · henri-hulski · Jun 11, 2018 · Jun 11, 2018 · Jun 11, 2018 · Jun 11, 2018
diff --git a/more/cors/main.py b/more/cors/main.py
@@ -1,5 +1,6 @@
 import morepath
 from morepath.publish import resolve_model, get_view_name
+from webob.exc import HTTPUnauthorized
 import dectate
 import reg
 from . import action
@@ -27,6 +28,8 @@ def get_cors_allowed_origin(self, model, request, requested_origin):
                       lambda self, model, request,
                       requested_method: request.view_name))
     def get_cors_allowed_methods(self, model, request, requested_method):
+        if model is None:
+            return self.settings.cors.allowed_verbs
         res = []
         for m in self.settings.cors.allowed_verbs:
             f = self.get_view.by_predicates(
@@ -92,6 +95,8 @@ def cors_handler(request):
 
         try:
             context = resolve_model(request) or app
+        except HTTPUnauthorized:
+            context = None
         except Exception:
             context = app
 

diff --git a/more/cors/tests/test_cors.py b/more/cors/tests/test_cors.py
@@ -1,4 +1,5 @@
 from webtest import TestApp as Client
+from webob.exc import HTTPUnauthorized
 import morepath
 from more.cors import CORSApp
 
@@ -15,6 +16,10 @@ class FailedObject(object):
     pass
 
 
+class UnauthorizedObject(object):
+    pass
+
+
 class Root(object):
     pass
 
@@ -34,6 +39,11 @@ def get_failed_object(request):
     raise Exception()
 
 
+@App.path(path='unauthorized', model=UnauthorizedObject)
+def get_unauthorized_object(request):
+    raise HTTPUnauthorized
+
+
 @App.json(model=Root)
 def view(context, request):
     return {'view': 'index'}
@@ -127,6 +137,16 @@ def test_cors_non_preflight():
     assert r.headers.get('Access-Control-Max-Age') is None
 
 
+def test_cors_unauthorized_preflight():
+    c = get_client(App)
+
+    r = c.options('/unauthorized')
+
+    assert r.headers.get(
+        'Access-Control-Allow-Methods').split(',') \
+        == ['OPTIONS'] + c.app.settings.cors.allowed_verbs
+
+
 def test_cors_no_allowed_verbs():
     @App.setting(section='cors', name='allowed_verbs')
     def get_allowed_verbs():