[wp-trac] [WordPress Trac] #18030: Die with HTTP status 403 forbidden when capability check fails in wp-admin

WordPress Trac wp-trac at lists.automattic.com
Thu Jul 7 22:42:29 UTC 2011 

#18030: Die with HTTP status 403 forbidden when capability check fails in wp-admin
----------------------------+-----------------------------
 Reporter:  niallkennedy    |      Owner:
     Type:  enhancement     |     Status:  new
 Priority:  normal          |  Milestone:  Awaiting Review
Component:  Administration  |    Version:
 Severity:  minor           |   Keywords:  has-patch
----------------------------+-----------------------------
 The default HTTP status code of
 [http://core.trac.wordpress.org/browser/tags/3.2/wp-
 includes/functions.php#L2740 wp_die()] is a
 [http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.5.1 500
 Internal Service Error] communicating !WordPress encountered an
 "unexpected condition which prevented it from fulfilling the request."
 Multiple pages trigger wp_die() in wp-admin when a minimum user capability
 is not met (e.g. Cheatin', uh?). In these cases we know why the request
 failed and could better communicate the failure in the HTTP status code.
 We want to communicate the same request should not be repeated without a
 modification to permissions. We also would like to shift the error class
 from a server error (5xx) to a client error (4xx).

 HTTP status
 [http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.4 403
 Forbidden] communicates the authorization failure in HTTP status form. The
 server can be reached, we understood your request, but we declined access
 to the page.

 A !WordPress install could catch this unique status code in its
 wp_die_handler and suggest further the viewer contact the IT department,
 admin, etc. for additional permissions.

 Patch attached for wp-admin/edit.php. If the general idea behind the
 change is acceptable I can broaden the patch to other occurrences of
 wp_die() for failed capability checks in wp-admin.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/18030>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list