| 2017-03-27 13:08:37 |
Thomas Maddox |
description |
Though 401 is the code for "Unauthorized" in the HTTP specification, it's typically used to communicate that you're lacking valid credentials, not for whether you have discrete permissions on some resource. Usually 403 is used in this case to communicate that they are a valid user, but they do not have permissions to perform the action on the specified resource.
https://github.com/openstack/craton/blob/master/craton/exceptions.py#L68
As a result, I think it makes sense to change to using 403 Forbidden when the valid user does not have permissions for the specified action on the specified resource. |
Though 401 is the code for "Unauthorized" in the HTTP specification, it's typically used to communicate that you're lacking valid credentials, not for whether you have discrete permissions on some resource. Usually 403 is used in this case to communicate that they are a valid user, but they do not have permissions to perform the action on the specified resource.
https://github.com/openstack/craton/blob/master/craton/exceptions.py#L68
Therefore, I think it makes sense to change to using 403 Forbidden when the valid user does not have permissions for the specified action on the specified resource. |
|
