Wrongly return 200 when user do not have permission

I was doing a search. The user is not logged in or the token expired.
For that table, my permission looks like this:
The result is this with a code 200
“offset”: 0,
“data”: [],
“nextPage”: null,
“totalObjects”: 0
My code will treat this as if nothing was found. But I need it to return a 401 not authorized, so I can prompt the user to login.

Thank you very much!


The user is not logged in or the token expired

Can you specify which one of these is true? Do you send the user token with the request? If you do and the token is expired, you’d be getting back an error saying the token is expired. There is an important detail here that sound quite ambiguous.

Hi Mark, sorry about the confusion. I double checked, you are right. When I send a bad user-token, it is not 200 that got returned. But when I do not send a user-token, it is 200 with empty result.

Thank you!

Hello. This is not solved. When a user-token is not passed, 200 OK is returned with empty result. Is this expected behavior? I was expecting 401 not authorized.

Your comment made me think the problem is resolved. When you do not pass user-token, the request is processed with the NonAuthenticatedUser role. In this case you should be getting an error back. Do you?

No I don’t.

So without the user-token the request succeeds?

Yes, it does. It however returns empty.
Without user-token . Notice it is 200 OK


with user token

Could you show the “roles permissions” screen for the Craigslist table?



Thanks. I’ll assign this to a developer to investigate

Thank you very much!