403 page is rendered but 404 is the response
Right now if we call authorize_#{action}
in any of the project controllers, it will go through Projects::ApplicationController#authorize_action!
which in turn calls ApplicationController#access_denied!
if the current_user
is unable to perform a certain action.
If we look at the source of access_denied
we are currently rendering the access_denied
view, which shows the 403
message. But in reality, since access_denied!
is getting called without a message being provided, the real status returned will be 404
.
So to summarize, when the 403 page is getting returned, the actual HTTP response is a 404