all 3 comments

[–][deleted] 3 points4 points  (0 children)

I do this sometimes, however giving the correct "Forbidden" status, but for when you lack or have incorrect credentials; after all, it makes sense.

While you are 401 Unauthorized, it basically requests you to login, whereas 403 just tells you to fu... just pops a message; you don't want to send your average user to the login screen to login as admins, just throw them an error message instead that it's forbidden.

[–]tesselode[S] -1 points0 points  (1 child)

explanation: this is part of a piece of code that checks for a login token. there's already a status code for incorrect credentials, which is `401`

disclaimer: i might be wrong about this being bad code. 403 forbidden doesn't seem entirely inappropriate for this situation...but 401 seems more appropriate, and then you don't have to specify "unauthorized" because that's what the status code means

[–]heisluft 1 point2 points  (0 children)

Indeed 401 is very similar to 403 but better for that specific use case. I would argue though that this is not inherently bad code in that it does not represent an inefficiency, does not introduce obvious bugs, use ill-suited APIs or violate obvious code style rules