Project

General

Profile

Actions

Feature #30086

closed

Use HTTP status code 403 instead of 401 when REST API is disabled

Added by Go MAEDA over 5 years ago. Updated almost 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
REST API
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed

Description

Currently, Redmine returns HTTP status code 401 (Unauthorized) if the REST API feature is disabled.

$ curl -D /dev/stdout --user admin:admin http://localhost:3000/issues.xml
HTTP/1.1 401 Unauthorized
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: strict-origin-when-cross-origin
Content-Type: application/xml
WWW-Authenticate: Basic realm="Redmine API" 
Cache-Control: no-cache
X-Request-Id: 22e77bad-feca-4137-a81e-9df152af8bc2
X-Runtime: 0.019368
Transfer-Encoding: chunked

With the status code 401, users may misunderstand that the login id or password is incorrect. If they access to /issues.xml with a web browser, they will see a basic authentication dialog again and again.

I think it is proper and intuitive to return 403 (Forbidden) instead of 401, like "403 API access is not allowed".


Files


Related issues

Related to Redmine - Defect #32315: Impossible to validate API key without modifying anythingClosed

Actions
Actions

Also available in: Atom PDF