Make Ajax HTTP unauthorized response code customizable #458

wants to merge 1 commit into


None yet
2 participants

Cake currently returns 403 Forbidden when a user is unauthorized. This is the wrong response and should be changed to 401 Unauthorized (Request requires user authentication). 403 should be used when access is denied for a resource. Since such a change probably breaks loads of things a better solution would be to make it customizable.


markstory commented Feb 3, 2012

Why? The HTTP spec is pretty clean about the difference between 401 and 403. Since we aren't going to offer basic/digest auth 403 is more correct. 401 implies that there is an HTTP layer authentication possible, which there generally isn't.

@markstory markstory closed this Feb 3, 2012

The actual authentication implementation (digest, basic or whatever) is outside the scope of HTTP. Code 401 just implies the request failed because the user is unauthorized. The response should include a WWW-Authenticate for the client so that it knows what authentication implementation is expected. For 403 the HTTP spec clearly states "the request SHOULD NOT be repeated". With Cake's the request is repeated for authentication.

Furthermore after authentication you need a response code to indicate somebody (who's authenticated) not having permissions (due to ACL for example). Response 403 Forbidden fits perfectly for that requirement. Since 403 is already taken with Cake we're forced to abuse another response code. (Suggestions?)

Either way. The response code being hardcoded like it currently is, is not very pretty.


markstory commented Feb 4, 2012

Sure, but the only widely implemented versions of WWW-Authenticate are basic and digest. The property name doesn't sit well with me either, as the name doesn't match the default value. Lastly, no new features or behavior changes outside of bugfixes are being applied to 1.3.

If you have a better name suggestion I'll be happy to make pull requests for the 2.0 / 2.1 branches. I'd also suggest changing the default to 401 so that we can use 403 for ACL permissions. But that's up to you. :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment