Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / 961c9d9cb05b8da1e4fa8f8e04872dad3b234879^! / .
commit961c9d9cb05b8da1e4fa8f8e04872dad3b234879[log] [tgz]
authorGunnar Mills <gmills@us.ibm.com>Tue Jun 18 07:39:22 2019 -0500
committerEd Tanous <ed.tanous@intel.com>Thu Jun 20 16:39:35 2019 +0000
tree8572de52133e66ed2363088c5592e83114b3e73c
parent00a5eddc7bb95cd5654988156dd61c0bd89c425f [diff]
Response for insufficient privileges to 403

Currently, if the user does not have sufficient privileges
a 401 (Unauthorized) is returned.

A 403 (Forbidden) should be returned instead.
This change does this.

The Web Interface forces the user to reauthenticate on a 401.
https://github.com/openbmc/phosphor-webui/blob/e364faa0314c8c98a31260bf69df78a104b106a1/app/common/services/apiInterceptor.js#L50

Maybe not the best policy but a 401 roughly means
"Not or incorrectly authenticated, please reauthenticate".

A 403 roughly means "As this user you don't have permission".

See
https://stackoverflow.com/questions/3297048/403-forbidden-vs-401-unauthorized-http-responses
and
http://www.dirv.me/blog/2011/07/18/understanding-403-forbidden/index.html

Tested: None.
Change-Id: I07a89dc542002c6aeb66da96822fdb466528c383
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

diff --git a/crow/include/crow/routing.h b/crow/include/crow/routing.h
index 32d31ef..d1c33b5 100644
--- a/crow/include/crow/routing.h
+++ b/crow/include/crow/routing.h

@@ -1237,7 +1237,7 @@
 
         if (!rules[ruleIndex]->checkPrivileges(userPrivileges))
         {
-            res.result(boost::beast::http::status::unauthorized);
+            res.result(boost::beast::http::status::forbidden);
             res.end();
             return;
         }