From bc7cb235ecf93b56786d210c9633c27dc3f3c2e8 Mon Sep 17 00:00:00 2001
From: Philip Durbin <philip_durbin@harvard.edu>
Date: Thu, 19 Dec 2024 15:15:41 -0500
Subject: [PATCH] add release note #10340

---
 doc/release-notes/10340-forbidden.md | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 doc/release-notes/10340-forbidden.md

diff --git a/doc/release-notes/10340-forbidden.md b/doc/release-notes/10340-forbidden.md
new file mode 100644
index 00000000000..0910646c7bd
--- /dev/null
+++ b/doc/release-notes/10340-forbidden.md
@@ -0,0 +1,7 @@
+### API Now Returns 403 Forbidden for Permission Checks
+
+Dataverse was returning 401 Unauthorized when a permission check failed. This has been corrected to return 403 Forbidden in these cases. That is, the API token is known to be good (401 otherwise) but the user lacks permission (403 is now sent). See also #10340 and #11116.
+
+### Backward Incompatible Changes
+
+See "API Now Returns 403 Forbidden for Permission Checks" above.