Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Make Ajax HTTP unauthorized response code customizable #458

Closed
wants to merge 1 commit into from

2 participants

@bartdeboer

Cake currently returns 403 Forbidden when a user is unauthorized. This is the wrong response and should be changed to 401 Unauthorized (Request requires user authentication). 403 should be used when access is denied for a resource. Since such a change probably breaks loads of things a better solution would be to make it customizable.

@markstory
Owner

Why? The HTTP spec is pretty clean about the difference between 401 and 403. Since we aren't going to offer basic/digest auth 403 is more correct. 401 implies that there is an HTTP layer authentication possible, which there generally isn't.

@markstory markstory closed this
@bartdeboer

The actual authentication implementation (digest, basic or whatever) is outside the scope of HTTP. Code 401 just implies the request failed because the user is unauthorized. The response should include a WWW-Authenticate for the client so that it knows what authentication implementation is expected. For 403 the HTTP spec clearly states "the request SHOULD NOT be repeated". With Cake's the request is repeated for authentication.

Furthermore after authentication you need a response code to indicate somebody (who's authenticated) not having permissions (due to ACL for example). Response 403 Forbidden fits perfectly for that requirement. Since 403 is already taken with Cake we're forced to abuse another response code. (Suggestions?)

Either way. The response code being hardcoded like it currently is, is not very pretty.

@markstory
Owner

Sure, but the only widely implemented versions of WWW-Authenticate are basic and digest. The property name doesn't sit well with me either, as the name doesn't match the default value. Lastly, no new features or behavior changes outside of bugfixes are being applied to 1.3.

@bartdeboer

If you have a better name suggestion I'll be happy to make pull requests for the 2.0 / 2.1 branches. I'd also suggest changing the default to 401 so that we can use 403 for ACL permissions. But that's up to you. :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Jan 28, 2012
  1. @bartdeboer
This page is out of date. Refresh to see the latest.
Showing with 10 additions and 2 deletions.
  1. +10 −2 cake/libs/controller/components/auth.php
View
12 cake/libs/controller/components/auth.php
@@ -255,6 +255,14 @@ class AuthComponent extends Object {
var $params = array();
/**
+ * HTTP Status code to send if user is unauthorized
+ *
+ * @var int
+ * @access public
+ */
+ var $httpUnauthorizedCode = 403;
+
+/**
* Method list for bound controller
*
* @var array
@@ -400,7 +408,7 @@ function startup(&$controller) {
$this->_stop();
return false;
} else {
- $controller->redirect(null, 403);
+ $controller->redirect(null, $this->httpUnauthorizedCode);
}
}
}
@@ -923,7 +931,7 @@ function hashPasswords($data) {
if (is_array($data)) {
$model =& $this->getModel();
-
+
if(isset($data[$model->alias])) {
if (isset($data[$model->alias][$this->fields['username']]) && isset($data[$model->alias][$this->fields['password']])) {
$data[$model->alias][$this->fields['password']] = $this->password($data[$model->alias][$this->fields['password']]);
Something went wrong with that request. Please try again.