[openstreetmap/openstreetmap-website] Return 401 Unauthorized when user is not logged in (#2062)
Andy Allan
notifications at github.com
Wed Nov 14 16:33:46 UTC 2018
Oh, I see. I didn't realise that 401 responses also require a "WWW-Authenticate" header, and that there's (apparently) no way to have that header explain that you should go to the login page to get yourself a cookie before retrying the (POST|PUT|DELETE) request.
I certainly don't want to add more Basic Auth stuff, so I guess for these non-GET requests we should keep returning 403 Forbidden since we can just return that without any consequences.
I though that this change would be helpful to some (edge case) users. I thought that a browser would default to a slightly different (and more helpful) message to the user for 401 vs 403, but it just opens cans of worms so I'll withdraw this PR.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/2062#issuecomment-438727588
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20181114/08635b59/attachment.html>
More information about the rails-dev
mailing list