Disambiguate 401 and 403 when accessing /projects#719
Merged
Conversation
Test coverage90.01% line coverage reported by SimpleCov. |
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the API’s global CanCan::AccessDenied handling to return 401 Unauthorized for unauthenticated requests and 403 Forbidden for authenticated-but-denied requests, enabling clients to distinguish “needs login” vs “insufficient permission” flows (notably for /projects access).
Changes:
- Adjust
ApiController#deniedto conditionally render401vs403based oncurrent_userpresence. - Update request specs to cover both authenticated and unauthenticated
CanCan::AccessDeniedscenarios and assert the new response bodies.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| app/controllers/api_controller.rb | Changes CanCan::AccessDenied rescue behavior to return 401 when unauthenticated and 403 when authenticated. |
| spec/requests/api_controller_spec.rb | Updates/extends request specs to validate the new 401/403 behavior and corresponding JSON error messages. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
mwtrew
approved these changes
Mar 9, 2026
Previously, Editor-API would return a 403 error for any project access that failed, including accesses that should have recieved a 401 Unauthorised error. This change checks the state of `current_user` to decide whether to return 401 or 403. This will then allow client applications like Experience CS to properly route the user to either log in and retry or present an error page with explanations as to why the 403 occurred.
This branch changes the response for not-logged-in users to :unauthorized instead of :forbidden.
fspeirs
force-pushed
the
disambiguate-401-403
branch
from
c557563 to
5377296
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Previously, Editor-API would return a
403error for any project access that failed, including accesses that should have received a401 Unauthorizederror.This change checks the state of
current_userto decide whether to return401or403. This will then allow client applications like Experience CS to properly route the user to either log in and retry or present an error page with explanations as to why the403occurred.Status
Points for consideration:
What's changed?
api_controller.rb#deniedto:status: :forbiddenwhen the user is logged in but denied accessstatus: :unauthorizedwhen the user is NOT logged in and denied access.Previously, both conditions would render
:forbidden.Steps to perform after deploying to production
Nothing required.
No changes are required in
editor-uieither as 401 and 403 are already handled identically inloadProjectReducers.jsin that codebase.