Feature #30086
closedUse HTTP status code 403 instead of 401 when REST API is disabled
0%
Description
Currently, Redmine returns HTTP status code 401 (Unauthorized) if the REST API feature is disabled.
$ curl -D /dev/stdout --user admin:admin http://localhost:3000/issues.xml HTTP/1.1 401 Unauthorized X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Download-Options: noopen X-Permitted-Cross-Domain-Policies: none Referrer-Policy: strict-origin-when-cross-origin Content-Type: application/xml WWW-Authenticate: Basic realm="Redmine API" Cache-Control: no-cache X-Request-Id: 22e77bad-feca-4137-a81e-9df152af8bc2 X-Runtime: 0.019368 Transfer-Encoding: chunked
With the status code 401, users may misunderstand that the login id or password is incorrect. If they access to /issues.xml with a web browser, they will see a basic authentication dialog again and again.
I think it is proper and intuitive to return 403 (Forbidden) instead of 401, like "403 API access is not allowed".
Files
Related issues
Updated by Yuichi HARADA about 6 years ago
Regardless of whether authentication is valid or not, if you disable the REST API feature it responds with HTTP status code 403(Forbidden).
I made a patch, and attach it.
Updated by Go MAEDA about 6 years ago
- Target version set to 4.1.0
Setting the target version to 4.1.0.
Updated by Go MAEDA almost 6 years ago
Returning 403 in the situation is consistent. In incoming emails API, MailHandlerController returns 403 if "WS for incoming emails" is disabled. Please see source:tags/4.0.0/app/controllers/mail_handler_controller.rb#L41.
Updated by Go MAEDA almost 6 years ago
Removed an unnecessary test_with_valid_username_and_wrong_password_http_authentication from the patch.
Updated by Go MAEDA over 5 years ago
- Status changed from New to Closed
- Assignee set to Go MAEDA
- Resolution set to Fixed
Committed the patch. Thank you.
Updated by Go MAEDA about 4 years ago
- Related to Defect #32315: Impossible to validate API key without modifying anything added