[BUGFIX] Use 403 header instead of 401 header 44/58244/2
authorMarkus Klein <markus.klein@typo3.org>
Wed, 27 Jun 2018 17:00:12 +0000 (19:00 +0200)
committerMathias Brodala <mbrodala@pagemachine.de>
Mon, 10 Sep 2018 09:14:21 +0000 (11:14 +0200)
The usage of a 401 header must be accompanied by a valid
www-authenticate header, which does not support form-based logins.

Resolves: #85411
Releases: master, 8.7
Change-Id: I71062c58a7d846214f1fec41e78cce4ae72955f3
Reviewed-on: https://review.typo3.org/58244
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Mathias Brodala <mbrodala@pagemachine.de>
Tested-by: Mathias Brodala <mbrodala@pagemachine.de>
typo3/sysext/core/Classes/Resource/Hook/FileDumpEIDHookInterface.php

index 7bd301e..268c457 100644 (file)
@@ -23,7 +23,8 @@ interface FileDumpEIDHookInterface
     /**
      * Perform custom security/access when accessing file
      * Method should issue 403 if access is rejected
-     * or 401 if authentication is required
+     * or 401 if authentication is required via an authorized HTTP authorization scheme.
+     * A 401 header must be accompanied by a www-authenticate header!
      *
      * @param \TYPO3\CMS\Core\Resource\ResourceInterface $file
      */