Die with HTTP status 403 forbidden when capability check fails in wp-admin
|Reported by:||niallkennedy||Owned by:|
The default HTTP status code of wp_die() is a 500 Internal Service Error communicating WordPress encountered an "unexpected condition which prevented it from fulfilling the request." Multiple pages trigger wp_die() in wp-admin when a minimum user capability is not met (e.g. Cheatin', uh?). In these cases we know why the request failed and could better communicate the failure in the HTTP status code. We want to communicate the same request should not be repeated without a modification to permissions. We also would like to shift the error class from a server error (5xx) to a client error (4xx).
HTTP status 403 Forbidden communicates the authorization failure in HTTP status form. The server can be reached, we understood your request, but we declined access to the page.
A WordPress install could catch this unique status code in its wp_die_handler and suggest further the viewer contact the IT department, admin, etc. for additional permissions.
Patch attached for wp-admin/edit.php. If the general idea behind the change is acceptable I can broaden the patch to other occurrences of wp_die() for failed capability checks in wp-admin.