From 2e7269f566a0204dbc83d6c8f423886e27d60363 Mon Sep 17 00:00:00 2001
From: Florian Pritz <bluewind@xinu.at>
Date: Fri, 29 Jul 2016 11:17:06 +0200
Subject: Return 403 instead of 401 for missing authentication

According to the RFC this is only useful for services that use HTTP's
built in authentication schemes. We don't so we can't use this code.

References: https://tools.ietf.org/html/rfc7235

Signed-off-by: Florian Pritz <bluewind@xinu.at>
---
 application/controllers/user.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'application/controllers/user.php')

diff --git a/application/controllers/user.php b/application/controllers/user.php
index ab411d7d2..891ef9451 100644
--- a/application/controllers/user.php
+++ b/application/controllers/user.php
@@ -38,7 +38,7 @@ class User extends MY_Controller {
 		if ($this->muser->login($username, $password)) {
 			$this->output->set_status_header(204);
 		} else {
-			$this->output->set_status_header(401);
+			$this->output->set_status_header(403);
 		}
 	}
 
-- 
cgit v1.2.3-24-g4f1b