Skip to content
This repository has been archived by the owner on Feb 8, 2018. It is now read-only.

Use 401 instead of 403 where appropriate #4196

Closed
mattbk opened this issue Nov 18, 2016 · 2 comments
Closed

Use 401 instead of 403 where appropriate #4196

mattbk opened this issue Nov 18, 2016 · 2 comments

Comments

@mattbk
Copy link
Contributor

mattbk commented Nov 18, 2016
edited
Loading

#4040 (comment)

401 = not logged in
403 = already logged in but still not allowed

Then why do I get 403 when not logged in, for pages like this?
image

#4040 (comment)

Because we're doing it wrong? :)
Unless we're not, but I think we are ...
https://httpstatuses.com/401
https://httpstatuses.com/403

Relates to #4189, which is due to #4040.
@mattbk
Copy link
Contributor Author

mattbk commented Nov 18, 2016

Based on some discussion at http://stackoverflow.com/questions/3297048/403-forbidden-vs-401-unauthorized-http-responses, it looks like 401 should be returned if you are not logged in and are trying to access a page you need to be logged in to see, regardless of whether you have privileges to see it or not as an authenticated user. This is what @whit537 notes at the beginning of this issue.

@mattbk mattbk mentioned this issue Nov 18, 2016
Merged
@nobodxbodon
Copy link
Contributor

Please reopen if there's new finding which is not covered by #4197

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nobodxbodon @mattbk