@dragotin: I think we should specify this to distinguish wrong credentials (a failed login due to wrong/expired user password) from accessing a resource without permissions with good credentials.
I guess:
for wrong credentials it is: 401 Unauthorized -- user may/will be asked to re-authenticate (password)
for good credentials but no permission it is: 403 Forbidden -- user won't be asked to reauthenticate.
@dragotin: I think we should specify this to distinguish wrong credentials (a failed login due to wrong/expired user password) from accessing a resource without permissions with good credentials.
I guess:
Is this correct?