10.4.4 403 Forbidden
The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead.
--
You received this message because you are subscribed to the Google Groups "pylons-discuss" group.
To post to this group, send email to pylons-...@googlegroups.com.
To unsubscribe from this group, send email to pylons-discus...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en.
This appears to be a mistake on Pyramid's part. Wouldn't it be better
to fix Pyramid to use 401 HTTPUnauthorized for not-logged-in rather
than using 403 HTTPForbidden for both cases?
--
Mike Orr <slugg...@gmail.com>
I've been wondering that too. How is it throwing off search engines,
or do they parse the page to guess if it's a login form. There should
either be a code for redirect with error, or 4xx errors should also be
allowed to have a Location header.
--
Mike Orr <slugg...@gmail.com>
The new URI is not a substitute reference for the originally requested resource.
I might have come at it differently raising 401 initially (all we can say is 'auth required' because we don't know who the user is) and then issue 403 if the authenticated user lacked a particular permission, but then I probably haven't spent as much time wrestling with this matter - I would be intrigued to learn of the reasoning if you have the time Michael? :)
--