Comment 24 for bug 1407105

Revision history for this message
Morgan Fainberg (mdrnstm) wrote :

This might be a result of mixing 401 and 403 responses.

401 - unauthorized, this should mean that the user is *not* authenticated and a re-authentication should be sufficient to perform an action (revoked, expired, etc token).
403 - Forbidden, this should mean the current authorization doesn't allow the action to be performed.

In the 401 case redirecting to login should be sane (this may not actually be the case).