[openstreetmap/openstreetmap-website] Return 401 Unauthorized when user is not logged in (#2062)

Andy Allan notifications at github.com
Wed Nov 14 16:33:46 UTC 2018

Oh, I see. I didn't realise that 401 responses also require a "WWW-Authenticate" header, and that there's (apparently) no way to have that header explain that you should go to the login page to get yourself a cookie before retrying the (POST|PUT|DELETE) request.

I certainly don't want to add more Basic Auth stuff, so I guess for these non-GET requests we should keep returning 403 Forbidden since we can just return that without any consequences.

I though that this change would be helpful to some (edge case) users. I thought that a browser would default to a slightly different (and more helpful) message to the user for 401 vs 403, but it just opens cans of worms so I'll withdraw this PR.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20181114/08635b59/attachment.html>

More information about the rails-dev mailing list