Returning 401 for admin required instead of 403

Bug #1676425 reported by Thomas Maddox
This bug affects 1 person
Affects Status Importance Assigned to Milestone

Bug Description

Though 401 is the code for "Unauthorized" in the HTTP specification, it's typically used to communicate that you're lacking valid credentials, not for whether you have discrete permissions on some resource. Usually 403 is used in this case to communicate that they are a valid user, but they do not have permissions to perform the action on the specified resource.

Therefore, I think it makes sense to change to using 403 Forbidden when the valid user does not have permissions for the specified action on the specified resource.

description: updated
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers