Returning 401 for admin required instead of 403
Bug #1676425 reported by
Thomas Maddox
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
craton |
New
|
Undecided
|
Unassigned |
Bug Description
Though 401 is the code for "Unauthorized" in the HTTP specification, it's typically used to communicate that you're lacking valid credentials, not for whether you have discrete permissions on some resource. Usually 403 is used in this case to communicate that they are a valid user, but they do not have permissions to perform the action on the specified resource.
https:/
Therefore, I think it makes sense to change to using 403 Forbidden when the valid user does not have permissions for the specified action on the specified resource.
description: | updated |
To post a comment you must log in.