Controllers not allowed returning bad request instead of 401 or 403 #132

Brend-Smits · 2020-05-20T12:16:43Z

If a person is not allowed to perform a certain action because they don't have permission. It should not be returning Bad Request. It should return a 401 Unauthorized instead.

The coding guidelines should also be updated to reflect this change.

StijnGroenen · 2020-05-20T12:52:44Z

It should return 401 Unauthorized if the user is not authenticated / signed in.
If the user is authenticated / signed in but it does not have the right permissions to perform an action it should return 403 Forbidden.

wotwot563 · 2020-05-20T13:04:56Z

its debatable as seen in the rfc https://tools.ietf.org/html/rfc7235#section-3.1 its both possible, but my preference also goes out to 403

Brend-Smits · 2020-05-20T13:14:44Z

Forbidden would be a good option if it allowed to ship a body. We can not describe to the user why they were forbidden.
With Unauthorized we can tell the user why the request was not allowed.

Brend-Smits mentioned this issue May 20, 2020

Changed BadRequest to Unauthorized #133

Merged

13 tasks

StijnGroenen closed this as completed in #133 May 20, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Controllers not allowed returning bad request instead of 401 or 403 #132

Controllers not allowed returning bad request instead of 401 or 403 #132

Brend-Smits commented May 20, 2020

StijnGroenen commented May 20, 2020

wotwot563 commented May 20, 2020

Brend-Smits commented May 20, 2020

Controllers not allowed returning bad request instead of 401 or 403 #132

Controllers not allowed returning bad request instead of 401 or 403 #132

Comments

Brend-Smits commented May 20, 2020

StijnGroenen commented May 20, 2020

wotwot563 commented May 20, 2020

Brend-Smits commented May 20, 2020