diff options
| author | Gunnar Mills <gmills@us.ibm.com> | 2019-06-18 07:39:22 -0500 |
|---|---|---|
| committer | Ed Tanous <ed.tanous@intel.com> | 2019-06-20 16:39:35 +0000 |
| commit | 961c9d9cb05b8da1e4fa8f8e04872dad3b234879 (patch) | |
| tree | 8572de52133e66ed2363088c5592e83114b3e73c | |
| parent | 00a5eddc7bb95cd5654988156dd61c0bd89c425f (diff) | |
| download | bmcweb-961c9d9cb05b8da1e4fa8f8e04872dad3b234879.tar.gz bmcweb-961c9d9cb05b8da1e4fa8f8e04872dad3b234879.zip | |
Response for insufficient privileges to 403
Currently, if the user does not have sufficient privileges
a 401 (Unauthorized) is returned.
A 403 (Forbidden) should be returned instead.
This change does this.
The Web Interface forces the user to reauthenticate on a 401.
https://github.com/openbmc/phosphor-webui/blob/e364faa0314c8c98a31260bf69df78a104b106a1/app/common/services/apiInterceptor.js#L50
Maybe not the best policy but a 401 roughly means
"Not or incorrectly authenticated, please reauthenticate".
A 403 roughly means "As this user you don't have permission".
See
https://stackoverflow.com/questions/3297048/403-forbidden-vs-401-unauthorized-http-responses
and
http://www.dirv.me/blog/2011/07/18/understanding-403-forbidden/index.html
Tested: None.
Change-Id: I07a89dc542002c6aeb66da96822fdb466528c383
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>
| -rw-r--r-- | crow/include/crow/routing.h | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/crow/include/crow/routing.h b/crow/include/crow/routing.h index 32d31ef..d1c33b5 100644 --- a/crow/include/crow/routing.h +++ b/crow/include/crow/routing.h @@ -1237,7 +1237,7 @@ class Router if (!rules[ruleIndex]->checkPrivileges(userPrivileges)) { - res.result(boost::beast::http::status::unauthorized); + res.result(boost::beast::http::status::forbidden); res.end(); return; } |
