Permalink
Browse files

Added 401 status for default "permission denied" message

  • Loading branch information...
1 parent 98743e8 commit db063095eadf1035132d4bc3e4715059aeea725b Piotr Hlawski committed Oct 14, 2008
Showing with 1 addition and 1 deletion.
  1. +1 −1 lib/caboose/access_control.rb
@@ -32,7 +32,7 @@ def access_control(actions={})
else
# Default message translated via I18n backend engine
# Just put translation for :insufficient_permission key in your i18n yml
- c.send(:render, :text => I18n.t(:insufficient_permission) + "#{c.controller_name}/#{c.action_name}")
+ c.send(:render, :text => I18n.t(:insufficient_permission) + " (#{c.controller_name}/#{c.action_name}) ", :status => 401)
end
end
end

1 comment on commit db06309

mroch commented on db06309 Jan 5, 2009

You should use 403, not 401. Your authentication mechanism (e.g. acts_as_authenticated/restful_authentication) should return a 401 when the user isn’t logged in, and this plugin should return 403 when the authenticated user doesn’t have permission. See http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html

Please sign in to comment.