2 files changed, 11 insertions, 1 deletions

diff --git a/src/mod_http_api.erl b/src/mod_http_api.erl
index bbd4a28d..c2b7d110 100644
--- a/src/mod_http_api.erl
+++ b/src/mod_http_api.erl
@@ -279,6 +279,7 @@ handle2(Call, Auth, Args) when is_atom(Call), is_list(Args) ->
         0 -> {200, <<"OK">>};
         1 -> {500, <<"500 Internal server error">>};
         400 -> {400, <<"400 Bad Request">>};
+        401 -> {401, <<"401 Unauthorized">>};
         404 -> {404, <<"404 Not found">>};
         Res -> format_command_result(Call, Auth, Res)
     end.
@@ -366,6 +367,7 @@ ejabberd_command(Auth, Cmd, Args, Default) ->
              end,
     case catch ejabberd_commands:execute_command(Access, Auth, Cmd, Args) of
         {'EXIT', _} -> Default;
+        {error, account_unprivileged} -> 401;
         {error, _} -> Default;
         Result -> Result
     end.
diff --git a/test/mod_http_api_test.exs b/test/mod_http_api_test.exs
index adcb4706..cc5aed5a 100644
--- a/test/mod_http_api_test.exs
+++ b/test/mod_http_api_test.exs
@@ -43,7 +43,15 @@ defmodule ModHttpApiTest do
     {200, _, _} = :mod_http_api.process(["open_cmd"], request)
   end
 
-  test "Call to user, admin, restricted commands without authentication are rejected" do
+  # This related to the commands config file option
+  test "Attempting to access a command that is not exposed as HTTP API returns 401" do
+    :ejabberd_config.add_local_option(:commands, [])
+    request = request(method: :POST, data: "[]")
+    {401, _, _} = :mod_http_api.process(["open_cmd"], request)
+  end
+
+  test "Call to user commands without authentication are rejected" do
+    :ejabberd_config.add_local_option(:commands, [[{:add_commands, [:user_cmd]}]])
     request = request(method: :POST, data: "[]")
     {401, _, _} = :mod_http_api.process(["user_cmd"], request)
   end