Details
-
Bug
-
Resolution: Fixed
-
Medium
-
4.6.0, 4.7.0, 5.0, 5.1
-
None
Description
An HttpError setting exists in error.ini, to define what HTTP status header to return for certain errors.
However, for the "Access Denied" error (code 1), only the first request actually sets this header.
As the response is cached, any further requests will return "200 OK".
Steps to reproduce:
- In error.ini:
[ErrorSettings-kernel] HTTPError[1]=401 [HTTPError-401] HTTPName=Authorization Required
- Clear caches
- With anonymous account, try to access a restricted section (such as 'Media').
- The result status is "HTTP 401: Authorization Required"
- Now refresh the page.
The same page will return an http status 200.
Clearing the cache makes the next request valid again.
Attachments
Issue Links
- relates to
-
EZP-19915 return an http error code 403 by default on access denied pages (kernel error 1)
- Open
-
EZP-21337 Return correct HTTP code for access denied page
- Closed
-
EZP-21682 Hide / reveal doesn't expire cache in DFS
- Closed
-
EZP-25922 kernel error 3 (not available) 404 errors are being cached
- Closed
-
EZP-22472 Incorrect error handling
- Closed
-
EZP-22796 Response for "Access denied" (1) error is cached when ErrorHandler=redirect
- Confirmed
- links to