Problem


On the failure of operation due to authentication REST returns 403 instead of 401. Consider following image:

error.png

Here GET on /entity/node/nid is requested with user credentials that does not even exist on the drupal site. Here it should return 401. This becomes confusing for application developer who uses REST for Drupal.

Proposed resolution



401 should be returned if authentication fails. 403 returns if authorization fails for authenticated user. i.e user is authenticated but user is not allowed to perform the operation as per permissions set by drupal administrator. Here permissions can be role based or access based etc.

CommentFileSizeAuthor
error.png39.76 KBvivekvpandya

Comments

vivekvpandya created an issue. See original summary.

vivekvpandya’s picture

vivekvpandya commented
Issue summary: View changes
a.milkovsky’s picture

a.milkovsky
he/him
Location UTC +2
commented

REST returns 403 instead of 403

Please fix the error code in description.

vivekvpandya’s picture

vivekvpandya commented
Issue summary: View changes
wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented
Status: Active » Closed (duplicate)
Related issues: +#2659070: REST requests without Content-Type header: unhelpful response significantly hinders DX, should receive a 415 response

This is already being fixed at #2659070: REST requests without Content-Type header: unhelpful response significantly hinders DX, should receive a 415 response. Thanks for reporting it, I've incorporated your feedback!