From 2f752ed1ac9bd1c1fb7763c8583df977233b771b Mon Sep 17 00:00:00 2001
From: Eric Lippmann <eric.lippmann@netways.de>
Date: Wed, 11 Mar 2015 22:32:04 +0100
Subject: [PATCH] Respond with HTTP status code 403 when an XHR requires
 authentication

refs #8626
---
 library/Icinga/Web/Controller/ActionController.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/library/Icinga/Web/Controller/ActionController.php b/library/Icinga/Web/Controller/ActionController.php
index 0949dbc81..f0db0164f 100644
--- a/library/Icinga/Web/Controller/ActionController.php
+++ b/library/Icinga/Web/Controller/ActionController.php
@@ -299,6 +299,8 @@ class ActionController extends Zend_Controller_Action
      * if it's an auto-refresh request or to redirect to the URL which required login if it's not an auto-refreshing
      * one.
      *
+     * XHR will respond with HTTP status code 403 Forbidden.
+     *
      * @param   Url|string  $redirect   URL to redirect to after successful login
      */
     protected function redirectToLogin($redirect = null)
@@ -306,6 +308,7 @@ class ActionController extends Zend_Controller_Action
         $login = Url::fromPath('authentication/login');
         if ($this->isXhr()) {
             $login->setParam('redirect', '__SELF__');
+            $this->_response->setHttpResponseCode(403);
         } elseif ($redirect !== null) {
             if (! $redirect instanceof Url) {
                 $redirect = Url::fromPath($redirect);