Project

General

Profile

Feature #30086

Updated by Go MAEDA over 5 years ago

Currently, Redmine returns HTTP status code 401 (Unauthorized) if the REST API feature is disabled. 

 <pre> 
 $ curl -D /dev/stdout --user admin:admin http://localhost:3000/issues.xml 
 HTTP/1.1 401 Unauthorized 
 X-Frame-Options: SAMEORIGIN 
 X-XSS-Protection: 1; mode=block 
 X-Content-Type-Options: nosniff 
 X-Download-Options: noopen 
 X-Permitted-Cross-Domain-Policies: none 
 Referrer-Policy: strict-origin-when-cross-origin 
 Content-Type: application/xml 
 WWW-Authenticate: Basic realm="Redmine API" 
 Cache-Control: no-cache 
 X-Request-Id: 22e77bad-feca-4137-a81e-9df152af8bc2 
 X-Runtime: 0.019368 
 Transfer-Encoding: chunked 
 </pre> 

 With the status code 401, users may misunderstand that the login id or password is incorrect. If they access to /issues.xml with a web browser, they will see a basic authentication dialog again and again. 

 I think it is proper and intuitive to return 403 (Forbidden) instead of 401, like "403 API access is not allowed".

Back