Services should return a 403 instead of a 401 for access denied [#2158563]

According to RFC2616, if a server responds with a 401 response it must also include a WWW-Authenticate header to allow for basic or digest authentication. As is, _services_run_access_callback() by default returns a 401, but it should return a 403.

Comment	File	Size	Author
#1	2158563.1-fix-401.patch	808 bytes	deviantintegral
#1

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

deviantintegral CreditAttribution: deviantintegral commented 17 December 2013 at 18:13

Status:

Active

» Needs review

File	Size
2158563.1-fix-401.patch	808 bytes

Comment #2

18 December 2013 at 22:58

Status:

Needs review

» Needs work

The last submitted patch, 1: 2158563.1-fix-401.patch, failed testing.

Comment #3

ygerasimov CreditAttribution: ygerasimov commented 31 December 2013 at 12:41

I agree that we should respond with 403 code by default. 401 code should be responded by basic or digest authentication plugins with proper challenge.

@deviantintegral please also correct test with your patch as it expects 401.