Reverted yiisoft#13822, clarified exception descriptions

Deele · Mar 30, 2017 · a626440 · a626440
1 parent f5f31c7
commit a626440
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 19 deletions.
diff --git a/framework/CHANGELOG.md b/framework/CHANGELOG.md
@@ -54,7 +54,6 @@ Yii Framework 2 Change Log
 - Bug #13776: Fixed setting precision and scale for decimal columns in MSSQL (arturf)
 - Bug #13704: Fixed `yii\validators\UniqueValidator` to prefix attribute name with model's database table name (vladis84)
 - Enh #13823: Refactored migrations template (Kolyunya)
-- Bug #13822: Fixed `yii\web\User::loginRequired()` to throw an `UnauthorizedHttpException` instead of a `ForbiddenHttpException` (Kolyunya)
 - Enh #13845: `mt_rand()` is used instead of `rand()` in `yii\captcha\CaptchaAction` (kalessil)
 
 2.0.11.2 February 08, 2017

diff --git a/framework/web/ForbiddenHttpException.php b/framework/web/ForbiddenHttpException.php
@@ -10,13 +10,12 @@
 /**
  * ForbiddenHttpException represents a "Forbidden" HTTP exception with status code 403.
  *
- * Use this exception when a user has been authenticated but is not allowed to
- * perform the requested action. If the user is not authenticated, consider
- * using a 401 [[UnauthorizedHttpException]]. If you do not want to
- * expose authorization information to the user, it is valid to respond with a
- * 404 [[NotFoundHttpException]].
+ * Use this exception when a user is not allowed to perform the requested action.
+ * Using different credentials might or might not allow performing the requested action.
+ * If you do not want to expose authorization information to the user, it is valid
+ * to respond with a 404 [[NotFoundHttpException]].
  *
- * @link http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.4
+ * @link https://tools.ietf.org/html/rfc7231#section-6.5.3
  * @author Dan Schmidt <[email protected]>
  * @since 2.0
  */

diff --git a/framework/web/UnauthorizedHttpException.php b/framework/web/UnauthorizedHttpException.php
@@ -10,12 +10,14 @@
 /**
  * UnauthorizedHttpException represents an "Unauthorized" HTTP exception with status code 401
  *
- * Use this exception to indicate that a client needs to authenticate or login
- * to perform the requested action. If the client is already authenticated and
- * is simply not allowed to perform the action, consider using a 403
- * [[ForbiddenHttpException]] or 404 [[NotFoundHttpException]] instead.
+ * Use this exception to indicate that a client needs to authenticate via WWW-Authenticate header
+ * to perform the requested action.
  *
- * @link http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2
+ * If the client is already authenticated and is simply not allowed to
+ * perform the action, consider using a 403 [[ForbiddenHttpException]]
+ * or 404 [[NotFoundHttpException]] instead.
+ *
+ * @link https://tools.ietf.org/html/rfc7235#section-3.1
  * @author Dan Schmidt <[email protected]>
  * @since 2.0
  */

diff --git a/framework/web/User.php b/framework/web/User.php
@@ -404,7 +404,7 @@ public function setReturnUrl($url)
      * the request does not accept HTML responses the current URL will not be SET as the return URL. Also instead of
      * redirecting the user an ForbiddenHttpException is thrown. This parameter is available since version 2.0.8.
      * @return Response the redirection response if [[loginUrl]] is set
-     * @throws UnauthorizedHttpException the "Unauthorized" HTTP exception if [[loginUrl]] is not set or a redirect is
+     * @throws ForbiddenHttpException the "Access Denied" HTTP exception if [[loginUrl]] is not set or a redirect is
      * not applicable.
      */
     public function loginRequired($checkAjax = true, $checkAcceptHeader = true)
@@ -424,7 +424,7 @@ public function loginRequired($checkAjax = true, $checkAcceptHeader = true)
                 return Yii::$app->getResponse()->redirect($this->loginUrl);
             }
         }
-        throw new UnauthorizedHttpException(Yii::t('yii', 'Login Required'));
+        throw new ForbiddenHttpException(Yii::t('yii', 'Login Required'));
     }
 
     /**

diff --git a/tests/framework/web/UserTest.php b/tests/framework/web/UserTest.php
@@ -17,7 +17,7 @@ function time()
 use yii\base\NotSupportedException;
 use yii\base\Component;
 use yii\rbac\PhpManager;
-use yii\web\UnauthorizedHttpException;
+use yii\web\ForbiddenHttpException;
 use yii\web\Cookie;
 use yii\web\CookieCollection;
 use yii\web\IdentityInterface;
@@ -226,7 +226,7 @@ public function testLoginRequired()
         $_SERVER['HTTP_ACCEPT'] = 'text/json, */*; q=0.1';
         try {
             $user->loginRequired();
-        } catch (UnauthorizedHttpException $e) {}
+        } catch (ForbiddenHttpException $e) {}
         $this->assertFalse(Yii::$app->response->getIsRedirection());
 
         $this->reset();
@@ -263,12 +263,12 @@ public function testLoginRequired()
         $_SERVER['HTTP_ACCEPT'] = 'text/json;q=0.1';
         try {
             $user->loginRequired();
-        } catch (UnauthorizedHttpException $e) {}
+        } catch (ForbiddenHttpException $e) {}
         $this->assertNotEquals('json-only', $user->getReturnUrl());
 
         $this->reset();
         $_SERVER['HTTP_ACCEPT'] = 'text/json;q=0.1';
-        $this->setExpectedException('yii\\web\\UnauthorizedHttpException');
+        $this->setExpectedException('yii\\web\\ForbiddenHttpException');
         $user->loginRequired();
     }
 
@@ -291,7 +291,7 @@ public function testLoginRequiredException1()
         $this->mockWebApplication($appConfig);
         $this->reset();
         $_SERVER['HTTP_ACCEPT'] = 'text/json,q=0.1';
-        $this->setExpectedException('yii\\web\\UnauthorizedHttpException');
+        $this->setExpectedException('yii\\web\\ForbiddenHttpException');
         Yii::$app->user->loginRequired();
     }