Skip to content

Commit

Permalink
Send a 401 Unauthorized header in XML-RPC when access is denied
Browse files Browse the repository at this point in the history 
This is far from perfect but should solve most issues in the recommended
configuration where only authorized users have access. Sending proper
status codes should be implemented when the API implementation
refactoring is done.
  • Loading branch information
@michitux
michitux committed Oct 15, 2011
1 parent d8f7a7f commit b760af9
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions lib/exe/xmlrpc.php
View file
Expand Up @@ -53,6 +53,7 @@ function addCallback($method, $callback, $args, $help, $public=false){
*/
function call($methodname, $args){
if(!in_array($methodname,$this->public_methods) && !$this->checkAuth()){
header('HTTP/1.1 401 Unauthorized');
return new IXR_Error(-32603, 'server error. not authorized to call method "'.$methodname.'".');
}
return parent::call($methodname, $args);
Expand Down

2 comments on commit b760af9

@timroes
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The XML-RPC specification (http://www.xmlrpc.com/spec) tells:

"Unless there's a lower-level error, always return 200 OK."

So in fact as long as you are still able to fill the response with an server error message, i guess you should never return anything else than 200 OK. Might be that some XML-RPC clients will break on this.

@michitux
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This 401 header is returned in order to support HTTP clients that send HTTP auth data only on request. This has been discussed in the bug report at http://bugs.dokuwiki.org/index.php?do=details&task_id=2133 which was the cause for this fix. Unfortunately it seems to be impossible to both conform to the XML-RPC specification and to support HTTP clients that implement authentication properly.

Please sign in to comment.