http://www.faqs.org/rfcs/rfc2616.html
10.4.2 401 Unauthorized
The request requires user authentication. The response MUST include a
WWW-Authenticate header field (section 14.47) containing a challenge
applicable to the requested resource. The client MAY repeat the
request with a suitable Authorization header field (section 14.8). If
the request already included Authorization credentials, then the 401
response indicates that authorization has been refused for those
credentials. If the 401 response contains the same challenge as the
prior response, and the user agent has already attempted
authentication at least once, then the user SHOULD be presented the
entity that was given in the response, since that entity might
include relevant diagnostic information. HTTP access authentication
is explained in "HTTP Authentication: Basic and Digest Access
Authentication" [43].
"the response MUST include a WWW-Authenticate header field"
but, in the /lib/exe/fetch.php
//check permissions (namespace only)
if(auth_quickaclcheck(getNS($MEDIA).':X') < AUTH_READ){
header("HTTP/1.0 401 Unauthorized");
//fixme add some image for imagefiles
//$ASD=getNS($MEDIA);
print "Unauthorized $ASD";
exit;
}
sending 401 retcode without WWW-Authenticate header ...
please change the retcode to 403 (Forbidden)