why does flask-security redirect to unauthorized view

Question

I'm giving flask-security a go...it has a lot of nice pieces to it. I ran into some quirky behavior though that I don't really understand. From the code I looked at it looks very intentional that the code works the way it does, but I can't understand the rationale.

If you protect a view using @auth_token_required and the criteria is not met a 401 is returned. Makes perfect sense.

However, if you protect a view using @roles_required and the criteria is not met, the server redirects (302) to an unauthorized view.

This makes no sense to me why they both would not behave consistently. Indeed in both cases I want and expect a 401.

Can anyone explain the reasoning and why I might want this? Or can someone explain the best way to customize the @roles_required behavior?

Thanks!

score 0 · Answer 1 · edited May 23 '17 at 12:08

0

I believe this has something to do with the different levels of unauthorized responses. The first one being a 401 error and the second one for a 403 error.

Here's difference between the two:

In summary, a 401 Unauthorized response should be used for missing or bad authentication, and a 403 Forbidden response should be used afterwards, when the user is authenticated but isn’t authorized to perform the requested operation on the given resource.

Source: 403 Forbidden vs 401 Unauthorized HTTP responses

edited May 23 '17 at 12:08

Community

1
1

answered Dec 22 '15 at 10:06

DigitalDouble

1,747
14
26

but when a user isn't authorized, they get a 302, not 403. – Plasma Jul 09 '16 at 00:40

why does flask-security redirect to unauthorized view

1 Answers1