mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
BUGFIX RestfulServer->permissionFailiure() returns correct HTTP status code if authentication is possible: 401 Unauthrized instead of 403 Forbidden (patch #3803, thanks DoubleClique)
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@73820 467b73ca-7a2a-4603-9d3b-597d59a354a9
This commit is contained in:
parent
d8f8184986
commit
ec42a12162
@ -505,7 +505,8 @@ class RestfulServer extends Controller {
|
|||||||
|
|
||||||
protected function permissionFailure() {
|
protected function permissionFailure() {
|
||||||
// return a 401
|
// return a 401
|
||||||
$this->getResponse()->setStatusCode(403);
|
$this->getResponse()->setStatusCode(401);
|
||||||
|
$this->getResponse()->addHeader('WWW-Authenticate', 'Basic realm="API Access"');
|
||||||
return "You don't have access to this item through the API.";
|
return "You don't have access to this item through the API.";
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -22,7 +22,7 @@ class RestfulServerTest extends SapphireTest {
|
|||||||
// even with logged in user a GET with $api_access disabled should fail
|
// even with logged in user a GET with $api_access disabled should fail
|
||||||
$url = "/api/v1/RestfulServerTest_Page/1";
|
$url = "/api/v1/RestfulServerTest_Page/1";
|
||||||
$response = Director::test($url, null, null, 'GET');
|
$response = Director::test($url, null, null, 'GET');
|
||||||
$this->assertEquals($response->getStatusCode(), 403);
|
$this->assertEquals($response->getStatusCode(), 401);
|
||||||
|
|
||||||
unset($_SERVER['PHP_AUTH_USER']);
|
unset($_SERVER['PHP_AUTH_USER']);
|
||||||
unset($_SERVER['PHP_AUTH_PW']);
|
unset($_SERVER['PHP_AUTH_PW']);
|
||||||
@ -42,7 +42,7 @@ class RestfulServerTest extends SapphireTest {
|
|||||||
// @todo create additional mock object with authenticated VIEW permissions
|
// @todo create additional mock object with authenticated VIEW permissions
|
||||||
$url = "/api/v1/RestfulServerTest_SecretThing/1";
|
$url = "/api/v1/RestfulServerTest_SecretThing/1";
|
||||||
$response = Director::test($url, null, null, 'GET');
|
$response = Director::test($url, null, null, 'GET');
|
||||||
$this->assertEquals($response->getStatusCode(), 403);
|
$this->assertEquals($response->getStatusCode(), 401);
|
||||||
|
|
||||||
$_SERVER['PHP_AUTH_USER'] = 'user@test.com';
|
$_SERVER['PHP_AUTH_USER'] = 'user@test.com';
|
||||||
$_SERVER['PHP_AUTH_PW'] = 'user';
|
$_SERVER['PHP_AUTH_PW'] = 'user';
|
||||||
@ -60,7 +60,7 @@ class RestfulServerTest extends SapphireTest {
|
|||||||
$data = array('Comment' => 'created');
|
$data = array('Comment' => 'created');
|
||||||
|
|
||||||
$response = Director::test($url, $data, null, 'PUT');
|
$response = Director::test($url, $data, null, 'PUT');
|
||||||
$this->assertEquals($response->getStatusCode(), 403); // Permission failure
|
$this->assertEquals($response->getStatusCode(), 401); // Permission failure
|
||||||
|
|
||||||
$_SERVER['PHP_AUTH_USER'] = 'editor@test.com';
|
$_SERVER['PHP_AUTH_USER'] = 'editor@test.com';
|
||||||
$_SERVER['PHP_AUTH_PW'] = 'editor';
|
$_SERVER['PHP_AUTH_PW'] = 'editor';
|
||||||
|
Loading…
Reference in New Issue
Block a user