Normalize FORBIDDEN vs UNAUTHORIZED responses

[fernandoacorreia]

I believe in some situations the code is returning status code FORBIDDEN when it should be UNAUTHORIZED.

I'll review the code and propose a fix.

The name of these status codes can be misleading. UNAUTHORIZED is related to authentication and FORBIDDEN is related to authorization.

For reference reviewing this issue:

401 Unauthorized means "The request requires user authentication." The client MAY repeat the request with a suitable Authorization header field. It's a temporary condition.

403 Forbidden means "The server is refusing to fulfill the request." Authorization will not help and the request SHOULD NOT be repeated. It's a permanent condition.

In summary, a 401 Unauthorized response should be used for missing or bad authentication, and a 403 Forbidden response should be used afterwards, when the user is authenticated but isn’t authorized to perform the requested operation on the given resource.

• http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
• http://danielirvine.com/blog/2011/07/18/understanding-403-forbidden/
• http://stackoverflow.com/a/6937030/376366

[akkie]

Thanks for clarification. I agree, we should fix this.

[akkie]

Thanks, merged.

[akkie]

How did you create a pull request from the previous created issue?

[fernandoacorreia]

With hub:

$ hub pull-request -b USERNAME_OF_UPSTREAM_OWNER:UPSTREAM_BRANCH -h YOUR_USERNAME:YOUR_BRANCH URL_TO_ISSUE

http://stackoverflow.com/a/7841960/376366

[akkie]

Many thanks!