craton

Returning 401 for admin required instead of 403

Bug #1676425 reported by Thomas Maddox on 2017-03-27

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	craton	New	Undecided	Unassigned

Bug Description

Though 401 is the code for "Unauthorized" in the HTTP specification, it's typically used to communicate that you're lacking valid credentials, not for whether you have discrete permissions on some resource. Usually 403 is used in this case to communicate that they are a valid user, but they do not have permissions to perform the action on the specified resource.

https://github.com/openstack/craton/blob/master/craton/exceptions.py#L68

Therefore, I think it makes sense to change to using 403 Forbidden when the valid user does not have permissions for the specified action on the specified resource.

See original description

Thomas Maddox (thomas-maddox) on 2017-03-27

description:

updated

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.