U4-2749 - Fix auth filters to return 401 when not logged in and 403 when the user has no access

Created by Shannon Deminick 30 Aug 2013, 01:22:31 Updated by Shannon Deminick 18 Sep 2013, 23:58:06

Subtask of: U4-2891

Currently I think we just return 401 for everything but need to do a 'double' check and return a different code based on that.


Shannon Deminick 10 Sep 2013, 04:53:43

For this to all work what we are doing is:

  • 400 = validation errors + custom header X-Status-Reason: Validation failed
  • 401 = not logged in
  • 403 = user doesn't have permissions for the request to execute

Shannon Deminick 10 Sep 2013, 05:39:58

Now we need to figure out how to deal with access request for when a user is not allowed to do something even if they are logged in. We'll have to display some sort of message, or whatever. Do we handle that at a global level or an individual request level ? See: rev a244516b19f725c4b8420a7e1cba5dde5359877e umbraco.security.interceptor.securityInterceptor where we check for a 403 status

Shannon Deminick 10 Sep 2013, 12:11:19

Put in notifications

Priority: Normal

Type: Bug

State: Fixed

Assignee: Shannon Deminick

Difficulty: Normal

Category: Security

Backwards Compatible: True

Fix Submitted:

Affected versions:

Due in version: 7.0.0


Story Points: