Use 401 with Authenticate header, when appropriate. #187
Conversation
|
Just to clarify - 401 is connected to HTTP Authentication, not to the authentication in general. Therefore if e.g. UserLoggedInAuthentication is used and the test fails, 403 is the proper response. |
|
Where does the 401 Error should be used then? I found it convenient to differentiate permissions from authorization for my client side. I think that what is also done in django-tastypie. |
|
@sebastibe: Take a look here: http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2 |
|
"The request requires user authentication." Yes I read this when I proposed my patch. To precise my question: Where in django-rest-framework the 401 should be raised? Because for the moment it is raised nowhere. |
|
@sebastibe: I don't know where 401 belongs in django-rest-framework. I only wanted to promote good practices regarding HTTP status codes :) |
|
Whilst I acknowledge that the 401 spec does mention Basic Auth, the 403 spec says "Authorization will not help", which in this case is clearly not true. So neither fits exactly, and I think 401 is a closer fit. |
|
@mjtamlyn "Authorization will not help" relates to "401 Unauthorized" |
|
If anyone is interested in tackling this I've sketched out what I think need to happen to do this properly.
Anyone fancy helping?.... |
|
Updated title to better reflect the work that needs to be done. |
|
Written the docs for this in unauthenticated-response branch |
|
What needs to happen now...
|
|
Note also that I've split out |
A 403 error response indicates that the client's request is formed correctly, but the REST API refuses to honor it. A 403 response is not a case of insufficient client credentials; that would be 401 ("Unauthorized").
403 should only be used to enforce application-level permissions.
Edit [@tomchristie] Replaced title from "Replace 403 by 401 error in permissions.IsAuthenticated"