Communities

Writing
Writing
Codidact Meta
Codidact Meta
The Great Outdoors
The Great Outdoors
Photography & Video
Photography & Video
Scientific Speculation
Scientific Speculation
Cooking
Cooking
Electrical Engineering
Electrical Engineering
Judaism
Judaism
Languages & Linguistics
Languages & Linguistics
Software Development
Software Development
Mathematics
Mathematics
Christianity
Christianity
Code Golf
Code Golf
Music
Music
Physics
Physics
Linux Systems
Linux Systems
Power Users
Power Users
Tabletop RPGs
Tabletop RPGs
Notifications
Mark all as read
Q&A

Welcome to Codidact Meta!

Codidact Meta is the meta-discussion site for the Codidact community network and the Codidact software. Whether you have bug reports or feature requests, support questions or rule discussions that touch the whole network – this is the site for you.

"Forbidden" ("403") page actually uses HTTP status 401 Unauthorized instead of 403 Forbidden for deleted posts without permission

+4
−0

There's a variety of actions which results in a display page saying "403 FORBIDDEN"; for example, accessing a deleted question without sufficient reputation to view deleted questions, including when not signed in.

However, the actual HTTP response code for that, as used in the HTTP response, is not 403, but 401.

The two are similar, but distinct. RFC 7231 section 6.5.3 defines the 403 response code as:

The 403 (Forbidden) status code indicates that the server understood the request but refuses to authorize it. A server that wishes to make public why the request has been forbidden can describe that reason in the response payload (if any).

If authentication credentials were provided in the request, the server considers them insufficient to grant access. The client SHOULD NOT automatically repeat the request with the same credentials. The client MAY repeat the request with new or different credentials. However, a request might be forbidden for reasons unrelated to the credentials.

...while RFC 7235 section 3.1 defines the 401 response code as:

The 401 (Unauthorized) status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource. The server generating a 401 response MUST send a WWW-Authenticate header field (Section 4.1) containing at least one challenge applicable to the target resource.

In this case, near as I can tell, no WWW-Authenticate header is included in the response, so the Codidact software is in violation of the HTTP spec.

Usually, a proper 401 response will result in the browser beginning a HTTP authentication flow, which is almost certainly not desirable in this case.

All this to say that especially if the response page prominently displays a HTTP status code, that should match the actual response code in the HTTP response; and that the correct status code (403 or possibly 404) should be used when attempting to view deleted posts without sufficient permission.

Why does this post require moderator attention?
You might want to add some details to your flag.
Why should this post be closed?

0 comment threads

1 answer

You are accessing this answer with a direct link, so it's being shown above all other answers regardless of its score. You can return to the normal view.

+4
−0

Thanks for bringing this to the community's attention.

This proposed change has been made and will be live with the next deploy.

Why does this post require moderator attention?
You might want to add some details to your flag.

1 comment thread

General comments (1 comment)

Sign up to answer this question »