Browse files

Set the status before of setting the response body

The 401 status should be set first because setting the response body in
a live controller also closes the response to further changes.

Fixes #14229.
  • Loading branch information...
1 parent d6bb789 commit a62001c5429723a78c7f382e34f157af1a668d68 @guilleiguaran guilleiguaran committed Jun 13, 2014
Showing with 2 additions and 2 deletions.
  1. +2 −2 actionpack/lib/action_controller/metal/http_authentication.rb
View
4 actionpack/lib/action_controller/metal/http_authentication.rb
@@ -121,8 +121,8 @@ def encode_credentials(user_name, password)
def authentication_request(controller, realm)
controller.headers["WWW-Authenticate"] = %(Basic realm="#{realm.gsub(/"/, "")}")
- controller.response_body = "HTTP Basic: Access denied.\n"
controller.status = 401
+ controller.response_body = "HTTP Basic: Access denied.\n"
end
end
@@ -256,8 +256,8 @@ def authentication_header(controller, realm)
def authentication_request(controller, realm, message = nil)
message ||= "HTTP Digest: Access denied.\n"
authentication_header(controller, realm)
- controller.response_body = message
controller.status = 401
+ controller.response_body = message
end
def secret_token(request)

0 comments on commit a62001c

Please sign in to comment.