Why not all authorization requirements included in ForbiddenResponseOperationFilter?

[xperiandri]

Why only these requirements are included?

[RehanSaeed]

Forbidden means you have access to the site but you are not allowed to access the resource within the site. Are there other you think should be included?

[xperiandri]

Why not just check for any IAuthorizationRequirement?

[RehanSaeed]

You don't want to include DenyAnonymousAuthorizationRequirement because that produces a 401 (See code).

Also we can't be sure if any custom requirements a developer creates should create a 401 or 403, so I'm very explicit here about types that should create a 403.

[xperiandri]

I thought that requirement must produce 403 only

[RehanSaeed]

DenyAnonymousAuthorizationRequirement means you must be logged in which translates to a 401. Everything else is a 403 i.e. you don't have access to that resource.