Feature #30086

Use HTTP status code 403 instead of 401 when REST API is disabled

Added by Go MAEDA 12 months ago. Updated 7 months ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:Go MAEDA% Done:


Category:REST API
Target version:4.1.0


Currently, Redmine returns HTTP status code 401 (Unauthorized) if the REST API feature is disabled.

$ curl -D /dev/stdout --user admin:admin http://localhost:3000/issues.xml
HTTP/1.1 401 Unauthorized
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: strict-origin-when-cross-origin
Content-Type: application/xml
WWW-Authenticate: Basic realm="Redmine API" 
Cache-Control: no-cache
X-Request-Id: 22e77bad-feca-4137-a81e-9df152af8bc2
X-Runtime: 0.019368
Transfer-Encoding: chunked

With the status code 401, users may misunderstand that the login id or password is incorrect. If they access to /issues.xml with a web browser, they will see a basic authentication dialog again and again.

I think it is proper and intuitive to return 403 (Forbidden) instead of 401, like "403 API access is not allowed".

30086-http-status-code-403.patch Magnifier (3.17 KB) Yuichi HARADA, 2018-12-10 03:18

30086-http-status-code-403-v2.patch Magnifier (2.7 KB) Go MAEDA, 2019-02-25 13:33

Associated revisions

Revision 18055
Added by Go MAEDA 7 months ago

Use HTTP status code 403 instead of 401 when REST API is disabled (#30086).

Patch by Yuichi HARADA.


#1 Updated by Go MAEDA 12 months ago

  • Description updated (diff)

#2 Updated by Yuichi HARADA 11 months ago

Regardless of whether authentication is valid or not, if you disable the REST API feature it responds with HTTP status code 403(Forbidden).
I made a patch, and attach it.

#3 Updated by Marius BALTEANU 11 months ago

I'm in favour of this change.

#4 Updated by Go MAEDA 11 months ago

  • Target version set to 4.1.0

Setting the target version to 4.1.0.

#5 Updated by Go MAEDA 10 months ago

Returning 403 in the situation is consistent. In incoming emails API, MailHandlerController returns 403 if "WS for incoming emails" is disabled. Please see source:tags/4.0.0/app/controllers/mail_handler_controller.rb#L41.

#6 Updated by Go MAEDA 9 months ago

Removed an unnecessary test_with_valid_username_and_wrong_password_http_authentication from the patch.

#7 Updated by Go MAEDA 7 months ago

  • Status changed from New to Closed
  • Assignee set to Go MAEDA
  • Resolution set to Fixed

Committed the patch. Thank you.

Also available in: Atom PDF