From 34d96c0a5cf114a2f0f8d117888f9ba6b113a391 Mon Sep 17 00:00:00 2001
From: Tim Otten <totten@civicrm.org>
Date: Mon, 15 Feb 2021 22:45:36 -0800
Subject: [PATCH] WordPress - If we hit a "permission denied" error, return
 HTTP 403

Overview
--------

On WordPress, any CiviCRM page that produces a "permission denied" sends an
HTTP status code of 200.  This is incorrectly indicates that the page-request was a success.

Before
------

```
$ curl -vv 'http://wpmaster.127.0.0.1.nip.io:8001/civicrm/dashboard' 2>&1 |grep HTTP
> GET /civicrm/dashboard HTTP/1.1
< HTTP/1.1 200 OK
```

After
-----

```
$ curl -vv 'http://wpmaster.127.0.0.1.nip.io:8001/civicrm/dashboard' 2>&1 |grep HTTP
> GET /civicrm/dashboard HTTP/1.1
< HTTP/1.1 403 Forbidden
```
---
 CRM/Utils/System/WordPress.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CRM/Utils/System/WordPress.php b/CRM/Utils/System/WordPress.php
index 1b2d22ebf2..fa8518bc21 100644
--- a/CRM/Utils/System/WordPress.php
+++ b/CRM/Utils/System/WordPress.php
@@ -503,6 +503,7 @@ class CRM_Utils_System_WordPress extends CRM_Utils_System_Base {
    * @throws \CRM_Core_Exception
    */
   public function permissionDenied() {
+    status_header(403);
     throw new CRM_Core_Exception(ts('You do not have permission to access this page.'));
   }
 
-- 
2.25.1