From 5067ffcf19a8659777406b06485fefc75404f2fa Mon Sep 17 00:00:00 2001
From: Volker Diels-Grabsch <v@njh.eu>
Date: Fri, 9 Jun 2017 14:48:54 +0200
Subject: Fix forbidden_view for BasicAuthAuthenticationPolicy (#3066)

---
 CONTRIBUTORS.txt          |  2 ++
 pyramid/authentication.py | 10 ++++++----
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/CONTRIBUTORS.txt b/CONTRIBUTORS.txt
index cbee08d0d..445536e9e 100644
--- a/CONTRIBUTORS.txt
+++ b/CONTRIBUTORS.txt
@@ -302,3 +302,5 @@ Contributors
 - Jeremy(Ching-Rui) Chen, 2017/04/19
 
 - Fang-Pen Lin, 2017/05/22
+
+- Volker Diels-Grabsch, 2017/06/09
diff --git a/pyramid/authentication.py b/pyramid/authentication.py
index 03b204e1a..445d6fcd2 100644
--- a/pyramid/authentication.py
+++ b/pyramid/authentication.py
@@ -1084,10 +1084,12 @@ class BasicAuthAuthenticationPolicy(CallbackAuthenticationPolicy):
         from pyramid.view import forbidden_view_config
 
         @forbidden_view_config()
-        def basic_challenge(request):
-            response = HTTPUnauthorized()
-            response.headers.update(forget(request))
-            return response
+        def forbidden_view(request):
+            if request.authenticated_userid is None:
+                response = HTTPUnauthorized()
+                response.headers.update(forget(request))
+                return response
+            return HTTPForbidden()
     """
     def __init__(self, check, realm='Realm', debug=False):
         self.check = check
-- 
cgit v1.2.3