mirror/php-flarum
1
0
Fork 0
mirror of https://github.com/flarum/core.git synced 2025-07-29 20:50:28 +02:00
Code Issues Releases Wiki Activity

Fix inconsistent status codes

Browse Source 
HTTP 401 should be used when logging in (i.e. authenticating) would make
a difference; HTTP 403 is reserved for requests that fail because the
already authenticated user is not authorized (i.e. lacking permissions)
to do something.
This commit is contained in:
Franz Liedke
2019-08-20 07:19:55 +02:00
parent 70e98f810c
commit 04bcf1eef6
10 changed files with 53 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/Api/Controller/ListNotificationsController.php
View File

@@ -15,12 +15,14 @@ use Flarum\Api\Serializer\NotificationSerializer;
use Flarum\Discussion\Discussion;
use Flarum\Http\UrlGenerator;
use Flarum\Notification\NotificationRepository;
use Flarum\User\Exception\PermissionDeniedException;
use Flarum\User\AssertPermissionTrait;
use Psr\Http\Message\ServerRequestInterface;
use Tobscure\JsonApi\Document;
class ListNotificationsController extends AbstractListController
{
use AssertPermissionTrait;
/**
* {@inheritdoc}
*/
@@ -67,9 +69,7 @@ class ListNotificationsController extends AbstractListController
{
$actor = $request->getAttribute('actor');
if ($actor->isGuest()) {
throw new PermissionDeniedException;
}
$this->assertRegistered($actor);
$actor->markNotificationsAsRead()->save();

9
src/Api/Controller/ListUsersController.php
View File

@@ -14,7 +14,7 @@ namespace Flarum\Api\Controller;
use Flarum\Api\Serializer\UserSerializer;
use Flarum\Http\UrlGenerator;
use Flarum\Search\SearchCriteria;
use Flarum\User\Exception\PermissionDeniedException;
use Flarum\User\AssertPermissionTrait;
use Flarum\User\Search\UserSearcher;
use Illuminate\Support\Arr;
use Psr\Http\Message\ServerRequestInterface;
@@ -22,6 +22,8 @@ use Tobscure\JsonApi\Document;
class ListUsersController extends AbstractListController
{
use AssertPermissionTrait;
/**
* {@inheritdoc}
*/
@@ -70,9 +72,8 @@ class ListUsersController extends AbstractListController
{
$actor = $request->getAttribute('actor');
if ($actor->cannot('viewUserList')) {
throw new PermissionDeniedException;
}
$this->assertRegistered($actor);
$this->assertCan($actor, 'viewUserList');
$query = Arr::get($this->extractFilter($request), 'q');
$sort = $this->extractSort($request);