Make WordPress Core

Opened 11 years ago

Closed 8 years ago

#18030 closed enhancement (duplicate)

Die with HTTP status 403 forbidden when capability check fails in wp-admin

Reported by: niallkennedy Owned by:
Milestone: Priority: normal
Severity: minor Version:
Component: Administration Keywords: has-patch
Focuses: Cc:


The default HTTP status code of wp_die() is a 500 Internal Service Error communicating WordPress encountered an "unexpected condition which prevented it from fulfilling the request." Multiple pages trigger wp_die() in wp-admin when a minimum user capability is not met (e.g. Cheatin', uh?). In these cases we know why the request failed and could better communicate the failure in the HTTP status code. We want to communicate the same request should not be repeated without a modification to permissions. We also would like to shift the error class from a server error (5xx) to a client error (4xx).

HTTP status 403 Forbidden communicates the authorization failure in HTTP status form. The server can be reached, we understood your request, but we declined access to the page.

A WordPress install could catch this unique status code in its wp_die_handler and suggest further the viewer contact the IT department, admin, etc. for additional permissions.

Patch attached for wp-admin/edit.php. If the general idea behind the change is acceptable I can broaden the patch to other occurrences of wp_die() for failed capability checks in wp-admin.

Attachments (1)

edit.diff (2.1 KB) - added by niallkennedy 11 years ago.
Define a response of 403 when calling wp_die() after a capability check fails.

Download all attachments as: .zip

Change History (2)

11 years ago

Define a response of 403 when calling wp_die() after a capability check fails.

#1 @johnbillion
8 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #10551.

Note: See TracTickets for help on using tickets.