Ticket #1787 (closed defect: fixed)

Opened 2 years ago

Last modified 2 years ago

'login' method in standard Root controller sets wrong HTTP status code

Reported by: Chris Arndt Assigned to: Chris Arndt
Priority: normal Milestone: 1.1
Component: TurboGears Version: 1.0.4.4
Severity: normal Keywords: quickstart, login, HTTP status, authorization
Cc:

Description

The login method in the standard root controller of a quickstarted project sets the HTTP status code to 403 ("Forbidden"), where it should be 401 ("Unauthorized").

See controllers.py_tmpl.

This is easy to fix, but we should have a unit test in the quickstart projects for this, so I'm putting this ticket here as a reminder.

Change History

08/24/08 10:27:00 changed by faide

  • milestone changed from 1.5 to 1.1.

08/26/08 19:12:29 changed by Chris Arndt

  • owner changed from anonymous to Chris Arndt.
  • status changed from new to assigned.

08/26/08 23:50:46 changed by faide

Fixed in 1.1 but could easily be backported in 1.0

08/27/08 06:42:23 changed by Chris Arndt

Yes, setting the status code was moved to identity in r5253.

But it is still the wrong HTTP status code. It should be 401 instead of 403. 403 means "Forbidden" and, according to Wikipedia, "Unlike a 401 Unauthorized response, authenticating will make no difference".

08/27/08 06:54:23 changed by faide

Perfect. Let's change 403 --> 401 in the identity exception and leave the normal /login return a 200.

This will be fixed in 1.0.7 maintenance release (in 2 months) and 1.1 beta1 (by tomorrow night) then.

08/27/08 21:08:59 changed by Chris Arndt

  • status changed from assigned to closed.
  • resolution set to fixed.

Fixed in r5274 for 1.0 and 1.1 branch.