This repository was archived by the owner on Sep 24, 2018. It is now read-only.
This repository was archived by the owner on Sep 24, 2018. It is now read-only.
Disambiguate authentication error messages from authorization error messages #1665
Description
To make the REST API more useful to client developers, it would be helpful to return a different error message when the request isn't authenticated vs authorized.
Given the following example:
local ➜ ~ http wordpress-develop.dev/wp-json/wp/v2/posts/99/meta --auth=daniel:daniel
HTTP/1.1 403 Forbidden
Access-Control-Allow-Headers: Authorization
Access-Control-Expose-Headers: X-WP-Total, X-WP-TotalPages
Connection: keep-alive
Content-Type: application/json; charset=UTF-8
Date: Tue, 20 Oct 2015 20:15:55 GMT
Server: nginx/1.4.6 (Ubuntu)
Transfer-Encoding: chunked
X-Content-Type-Options: nosniff
X-Powered-By: PHP/5.5.9-1ubuntu4.7
[
{
"code": "rest_forbidden",
"data": {
"status": 403
},
"message": "Sorry, you cannot view the meta for this post."
}
]
It's impossible to determine whether my user is authenticated, but not authorized, or not authenticated at all.
In my case, I wasn't authenticated, because I had forgotten to reactivate the Basic Auth plugin.