[MAGNOLIA-3890] Precisely define what error code we want to return in what situation: with current imp l's we only return 403's - no 401's Created: 25/Nov/11 Updated: 07/Dec/15 Resolved: 07/Dec/15 |
|
| Status: | Closed |
| Project: | Magnolia |
| Component/s: | security |
| Affects Version/s: | 4.5, 5.2 |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Major |
| Reporter: | Daniel Lipp | Assignee: | Unassigned |
| Resolution: | Won't Do | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
|
||||||||
| Issue Links: |
|
||||||||
| Template: |
|
||||||||
| Acceptance criteria: |
Empty
|
||||||||
| Task DoD: |
[ ]*
Doc/release notes changes? Comment present?
[ ]*
Downstream builds green?
[ ]*
Solution information and context easily available?
[ ]*
Tests
[ ]*
FixVersion filled and not yet released
[ ] 
Architecture Decision Record (ADR)
|
||||||||
| Date of First Response: | |||||||||
| Comments |
| Comment by Magnolia International [ 03/Dec/13 ] |
|
Here's an email Daniel reminded me off with an explanation I gave (tried to give) about why some integration tests started failing after fixing After the changes made in
So what we should do is return 401 when a user is not authenticated yet and tries to access a resource to which he has no access, and 403 when she's already logged in. This would help integration (WebDAV, REST, ...) and would also allow us to avoid rendering a silly login form when a logged-in user tries to access a resource they simply don't have access to, without even an indication of why they see this form in the first place. |
| Comment by Michael Mühlebach [ 07/Dec/15 ] |
|
Given the thousands of other issues we have open that are more highly requested, we won't be able to address this issue in the foreseeable future. Instead we will focus on issues with a higher impact, and more votes. |