Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Return http status code 403 when access denied. #7293

Open
sirtet opened this issue Feb 24, 2015 · 5 comments
Open

Return http status code 403 when access denied. #7293

sirtet opened this issue Feb 24, 2015 · 5 comments
Labels
c: APIs For bugs and features in the Matomo HTTP and plugin APIs. Task Indicates an issue is neither a feature nor a bug and it's purely a "technical" change.
Milestone
Priority Backlog ...

Comments

@sirtet
Copy link

sirtet commented Feb 24, 2015

When trying a piwik page without logging in, the response is the login form, delivered with status code 200 OK. I think that should be delivered with a 403.
@mnapoli
Copy link
Contributor

mnapoli commented Feb 24, 2015

👍 but I think 401 is better

401 Unauthorized

Similar to 403 Forbidden, but specifically for use when authentication is required and has failed or has not yet been provided.

@mattab
Copy link
Member

mattab commented Feb 24, 2015

Hi there,
I think if we change to 403 some web servers configs will catch this and show an error page instead, this could break Piwik for some users.

@mattab mattab added the Task Indicates an issue is neither a feature nor a bug and it's purely a "technical" change. label Feb 24, 2015
@mattab mattab added this to the Long term milestone Feb 24, 2015
@sirtet
Copy link
Author

sirtet commented Feb 25, 2015

According to
http://stackoverflow.com/questions/3297048/403-forbidden-vs-401-unauthorized-http-responses
401 seems more correct, but here
http://drupal.stackexchange.com/questions/18348/why-does-drupal-use-403-forbidden
it's said that 401 is only to be used with http auth.
It also says that is why Drupal is using 403.

As Drupal uses 403, i think it should be save for piwik too.

Not having the correct response code can be critical for some services i think.
I stumbled into a concrete case to this Problem on a piwik plugin:
sgiehl/piwik-plugin-ExcludeByDDNS#4

@mnapoli
Copy link
Contributor

mnapoli commented Feb 25, 2015

That's an interesting POV, maybe 403 is OK then especially since it's not an HTTP API here.

@mattab mattab modified the milestones: Long term, Mid term Dec 23, 2015
@mattab mattab modified the milestones: Long term, Mid term Dec 5, 2016
@pfrenssen
Copy link

This also happens when accessing the Reporting API without providing a token_auth, it will return a 200 OK. We need to inspect the body and look for result => error. It would be more convenient if we could rely on the HTTP response code.

@mattab mattab added the c: APIs For bugs and features in the Matomo HTTP and plugin APIs. label Dec 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
c: APIs For bugs and features in the Matomo HTTP and plugin APIs. Task Indicates an issue is neither a feature nor a bug and it's purely a "technical" change.
Projects
None yet
Milestone
Priority Backlog (Help wanted)
Development

No branches or pull requests
4 participants
@pfrenssen @mattab @mnapoli @sirtet