-
Type: Bug
-
Status: Resolved
-
Priority: Major
-
Resolution: Fixed
-
Affects Version/s: None
-
Fix Version/s: 5.6.0-HF17, 5.7.1
-
Component/s: Automation, Nuxeo Drive
-
Tags:
-
Upgrade notes:
HTTP 401 should only be used to signal authentication issues (lack or invalid credentials, for instance the basic http auth header is lacking or invalid).
HTTP 403 should be used to signal authorization issues: for instance when an authenticated client is trying to access a resource without being granted the permissions to do so.
Right now org.nuxeo.ecm.automation.server.jaxrs.ExceptionHandler is mapping any authorization exceptions from the core to 401 instead of 403 which makes it impossible for the automation client to know whether there a problem with the credentials (e.g. a password has been changed) or whether the user lacks the permissions on a specific document.