PolicyEvaluator doesn't have correct logic #56656
Labels
area-security
Needs: Author Feedback
The author of this issue needs to respond in order for us to continue investigating this issue.
Status: No Recent Activity
Is there an existing issue for this?
Describe the bug
https://source.dot.net/#Microsoft.AspNetCore.Authorization.Policy/PolicyEvaluator.cs,99
I believe the logic is wrong here, so if authorization pass while authentication doesn't pass, the response is 200 not 401.
e.g an endpoint accessed by an unauthenticated user below
despite of the mistake made by the junior developer, and I would still expect the response to be 401 rather than 200
Expected Behavior
he response to be 401 rather than 200
Steps To Reproduce
No response
Exceptions (if any)
No response
.NET Version
.NET 8
Anything else?
No response
The text was updated successfully, but these errors were encountered: