[BUG] incorrect HTTP response (404) on ACL fail in wforce 2.6.1 (should be 401)
sshipway opened this issue · 2 comments
Describe the bug
When weakforced is queried by a host not in the ACL, it returns a 404 status. This should be either a 401, or else a 200 with an API failure status in the returned JSON (this was the behaviour under 2.4).
To Reproduce
Send a request to weakforced /?command=ping with the correct credentials, from a client not in the server ACL. Verify response code
curl -w " HTTP Status %{http_code}" -Ss1 -H "Authorization: Basic $AUTH" "http://$ENDPOINT:8084/?command=ping"
Expected behavior
Ideally, a 401response with a JSON body containing a weakforced error.
Failing that, the same behaviour as in 2.4, which was a 200 response with a JSON-formatted error message
Screenshots
n/a
OS (please complete the following information):
- OS: Centos
- Version 7
Additional context
This was discovered because it broke our monitoring and unit tests after upgrading to 2.6.1
Standard REST behaviour would be a 401 response for ACL failure and also for authentication failure. An incorrect password does return a 401 status and JSON error in weakforced, as expected.
Yes thanks for reporting this Steve, I will fix this in 2.6.2
The behaviour will be the same as for authentication failure, i.e. 401 plus JSON error.