Warning: Can't synchronize with repository "(default)" (Unsupported version control system "svn": No module named svn). Look in the Trac log for more information.

Ticket #1787 (closed defect: fixed)

Opened 4 years ago

Last modified 3 years ago

'login' method in standard Root controller sets wrong HTTP status code

Reported by: Chris Arndt Owned by: Chris Arndt
Priority: normal Milestone: 1.1
Component: TurboGears Version: 1.0.4.4
Severity: normal Keywords: quickstart, login, HTTP status, authorization
Cc:

Description

The login method in the standard root controller of a quickstarted project sets the HTTP status code to 403 ("Forbidden"), where it should be 401 ("Unauthorized").

See controllers.py_tmpl.

This is easy to fix, but we should have a unit test in the quickstart projects for this, so I'm putting this ticket here as a reminder.

Change History

comment:1 Changed 3 years ago by faide

  • Milestone changed from 1.5 to 1.1

comment:2 Changed 3 years ago by Chris Arndt

  • Status changed from new to assigned
  • Owner changed from anonymous to Chris Arndt

comment:3 Changed 3 years ago by faide

Fixed in 1.1 but could easily be backported in 1.0

comment:4 Changed 3 years ago by Chris Arndt

Yes, setting the status code was moved to identity in r5253.

But it is still the wrong HTTP status code. It should be 401 instead of 403. 403 means "Forbidden" and, according to  Wikipedia, "Unlike a 401 Unauthorized response, authenticating will make no difference".

comment:5 Changed 3 years ago by faide

Perfect. Let's change 403 --> 401 in the identity exception and leave the normal /login return a 200.

This will be fixed in 1.0.7 maintenance release (in 2 months) and 1.1 beta1 (by tomorrow night) then.

comment:6 Changed 3 years ago by Chris Arndt

  • Status changed from assigned to closed
  • Resolution set to fixed

Fixed in r5274 for 1.0 and 1.1 branch.

Note: See TracTickets for help on using tickets.