I think 401 and 403 have been mixed up and we just need to swap them.
401: Unauthorized - although the HTTP status is called Unauthorized, it means Unauthenticated - not logged in (or no valid session)
403: Forbidden should be used for Authorization failures of a logged in user.
These are set in the error_handlers.py, but we'll need to change or check using of the numbers in tests and the FrontEnd.
I think 401 and 403 have been mixed up and we just need to swap them.
401: Unauthorized - although the HTTP status is called Unauthorized, it means Unauthenticated - not logged in (or no valid session) 403: Forbidden should be used for Authorization failures of a logged in user.
These are set in the error_handlers.py, but we'll need to change or check using of the numbers in tests and the FrontEnd.