fix(api auth): return 401 for authentication errors and 403 for access denied errors, fixes #2693

2025-08-06 05:30:12 +08:00 · 2015-09-08 10:46:31 +02:00
parent 41154d6d11
commit fdcb4473af
1 changed files with 17 additions and 7 deletions
--- a/pkg/middleware/auth.go
+++ b/pkg/middleware/auth.go
@ -36,9 +36,19 @@ func getApiKey(c *Context) string {
 	return ""
 }

-func authDenied(c *Context) {
+func accessForbidden(c *Context) {
 	if c.IsApiRequest() {
-		c.JsonApiErr(401, "Access denied", nil)
+		c.JsonApiErr(403, "Permission denied", nil)
+		return
+	}
+
+	c.SetCookie("redirect_to", url.QueryEscape(setting.AppSubUrl+c.Req.RequestURI), 0, setting.AppSubUrl+"/")
+	c.Redirect(setting.AppSubUrl + "/login")
+}
+
+func notAuthorized(c *Context) {
+	if c.IsApiRequest() {
+		c.JsonApiErr(401, "Unauthorized", nil)
 		return
 	}

@ -56,20 +66,20 @@ func RoleAuth(roles ...m.RoleType) macaron.Handler {
 			}
 		}
 		if !ok {
-			authDenied(c)
+			accessForbidden(c)
 		}
 	}
 }

 func Auth(options *AuthOptions) macaron.Handler {
 	return func(c *Context) {
-		if !c.IsGrafanaAdmin && options.ReqGrafanaAdmin {
-			authDenied(c)
+		if !c.IsSignedIn && options.ReqSignedIn && !c.AllowAnonymous {
+			notAuthorized(c)
 			return
 		}

-		if !c.IsSignedIn && options.ReqSignedIn && !c.AllowAnonymous {
-			authDenied(c)
+		if !c.IsGrafanaAdmin && options.ReqGrafanaAdmin {
+			accessForbidden(c)
 			return
 		}
 	}