From: Tim Otten <totten@civicrm.org>
Date: Tue, 16 Feb 2021 06:45:36 +0000 (-0800)
Subject: WordPress - If we hit a "permission denied" error, return HTTP 403
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=34d96c0a5cf114a2f0f8d117888f9ba6b113a391;p=civicrm-core.git

WordPress - If we hit a "permission denied" error, return HTTP 403

Overview
--------

On WordPress, any CiviCRM page that produces a "permission denied" sends an
HTTP status code of 200.  This is incorrectly indicates that the page-request was a success.

Before
------

```
$ curl -vv 'http://wpmaster.127.0.0.1.nip.io:8001/civicrm/dashboard' 2>&1 |grep HTTP
> GET /civicrm/dashboard HTTP/1.1
< HTTP/1.1 200 OK
```

After
-----

```
$ curl -vv 'http://wpmaster.127.0.0.1.nip.io:8001/civicrm/dashboard' 2>&1 |grep HTTP
> GET /civicrm/dashboard HTTP/1.1
< HTTP/1.1 403 Forbidden
```
---

diff --git a/CRM/Utils/System/WordPress.php b/CRM/Utils/System/WordPress.php
index 1b2d22ebf2..fa8518bc21 100644
--- a/CRM/Utils/System/WordPress.php
+++ b/CRM/Utils/System/WordPress.php
@@ -503,6 +503,7 @@ class CRM_Utils_System_WordPress extends CRM_Utils_System_Base {
    * @throws \CRM_Core_Exception
    */
   public function permissionDenied() {
+    status_header(403);
     throw new CRM_Core_Exception(ts('You do not have permission to access this page.'));
   }