Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
According to RFC2616, if a server responds with a 401 response it must also include a WWW-Authenticate header to allow for basic or digest authentication. As is, _services_run_access_callback()
by default returns a 401, but it should return a 403.
Comment | File | Size | Author |
---|---|---|---|
#1 | 2158563.1-fix-401.patch | 808 bytes | deviantintegral |
Comments
Comment #1
deviantintegral CreditAttribution: deviantintegral commentedComment #3
ygerasimov CreditAttribution: ygerasimov commentedI agree that we should respond with 403 code by default. 401 code should be responded by basic or digest authentication plugins with proper challenge.
@deviantintegral please also correct test with your patch as it expects 401.
Comment #4
kylebrowning CreditAttribution: kylebrowning commentedFixed tests, commmited, thanks.