From fdcb4473af29d83d31e220e81e7d5669a8a0f34e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Torkel=20=C3=96degaard?= <torkel.odegaard@gmail.com>
Date: Tue, 8 Sep 2015 10:46:31 +0200
Subject: [PATCH] fix(api auth): return 401 for authentication errors and 403
 for access denied errors, fixes #2693

---
 pkg/middleware/auth.go | 24 +++++++++++++++++-------
 1 file changed, 17 insertions(+), 7 deletions(-)

diff --git a/pkg/middleware/auth.go b/pkg/middleware/auth.go
index 9fb09a5c395..2497183b356 100644
--- a/pkg/middleware/auth.go
+++ b/pkg/middleware/auth.go
@@ -36,9 +36,19 @@ func getApiKey(c *Context) string {
 	return ""
 }
 
-func authDenied(c *Context) {
+func accessForbidden(c *Context) {
 	if c.IsApiRequest() {
-		c.JsonApiErr(401, "Access denied", nil)
+		c.JsonApiErr(403, "Permission denied", nil)
+		return
+	}
+
+	c.SetCookie("redirect_to", url.QueryEscape(setting.AppSubUrl+c.Req.RequestURI), 0, setting.AppSubUrl+"/")
+	c.Redirect(setting.AppSubUrl + "/login")
+}
+
+func notAuthorized(c *Context) {
+	if c.IsApiRequest() {
+		c.JsonApiErr(401, "Unauthorized", nil)
 		return
 	}
 
@@ -56,20 +66,20 @@ func RoleAuth(roles ...m.RoleType) macaron.Handler {
 			}
 		}
 		if !ok {
-			authDenied(c)
+			accessForbidden(c)
 		}
 	}
 }
 
 func Auth(options *AuthOptions) macaron.Handler {
 	return func(c *Context) {
-		if !c.IsGrafanaAdmin && options.ReqGrafanaAdmin {
-			authDenied(c)
+		if !c.IsSignedIn && options.ReqSignedIn && !c.AllowAnonymous {
+			notAuthorized(c)
 			return
 		}
 
-		if !c.IsSignedIn && options.ReqSignedIn && !c.AllowAnonymous {
-			authDenied(c)
+		if !c.IsGrafanaAdmin && options.ReqGrafanaAdmin {
+			accessForbidden(c)
 			return
 		}
 	}