cubicweb #3648809 cubicweb returns 401 status instead of 403 for Unauthorized exception [validation pending]

The 401 HTTP status code means:

The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity might include relevant diagnostic information.

That means we should only ever return 401 when:

  • the user is not authenticated, and
  • auth-mode is set to http, not cookie.
done in3.19.0
load left0.000
closed by#c45073a96aee [web] return 403 for Unauthorized, not 401
patch[web/test] add a test for some http response codes [applied][web] return 403 for Unauthorized, not 401 [applied]