Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Send a 401 Unauthorized header in XML-RPC when access is denied
This is far from perfect but should solve most issues in the recommended configuration where only authorized users have access. Sending proper status codes should be implemented when the API implementation refactoring is done.
- Loading branch information
b760af9
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The XML-RPC specification (http://www.xmlrpc.com/spec) tells:
"Unless there's a lower-level error, always return 200 OK."
So in fact as long as you are still able to fill the response with an server error message, i guess you should never return anything else than 200 OK. Might be that some XML-RPC clients will break on this.
b760af9
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This 401 header is returned in order to support HTTP clients that send HTTP auth data only on request. This has been discussed in the bug report at http://bugs.dokuwiki.org/index.php?do=details&task_id=2133 which was the cause for this fix. Unfortunately it seems to be impossible to both conform to the XML-RPC specification and to support HTTP clients that implement authentication properly.