Missing 403 status header for ‘not allowed’ question page
includes/common-pages.php:127 sets 403 status header if user has no permission to view private question, which is good. But afterwards the hook ‘ap_template_include’ fires and function ‘template_include_theme_compat’ from includes/class-theme.php is called, which calls ‘ap_theme_compat_reset_post’ from includes/theme.php, where status header is set back to 200 at line 1156.
I believe that check in previous line ! $wp_query->is_404() should be changed, because there’s at least 403 status possible too.
Whould you mind to fix this in next release?
The current check using ! $wp_query->is_404() is too limited, as it doesn’t account for other valid non-200 statuses like 403. Since the 403 header is correctly set earlier when access is denied, it shouldn’t be overwritten back to 200 later in HCTRA
This fails to account for cases where a 403 Forbidden (or potentially even 500, 401, etc.) status might have already been set earlier — unintentionally downgrading the error status Worldguessr to 200.
