Why doesn't ForbidResult inherit from StatusCodeResult like other result types?

[Claudiu2222]

I have noticed that while results such as BadRequestResult, ConflictResult, NoContentResult, NotFoundResult, OkResult, UnauthorizedResult, UnprocessableEntityResult, and UnsupportedMediaTypeResult inherit from StatusCodeResult, the ForbidResult does not. Instead, it inherits directly from ActionResult.

I believe that due to this inheritance difference, when returning a ForbidResult from a controller action, it unexpectedly returns a status code of 200 OK instead of the intended 403 Forbidden status code. The solution for this would be to directly return a new StatusCodeResult obj.

I'm particularly curious about why ForbidResult behaves differently in this regard. Is this behavior intentional, and if so, what was the rationale behind this design decision?

Thank you!

[BrennanConroy]

Just guessing here, but the doc comments on ForbidResult state

An <see cref="ActionResult"/> that on execution invokes <see cref="M:HttpContext.ForbidAsync"/>

https://source.dot.net/#Microsoft.AspNetCore.Mvc.Core/ForbidResult.cs,12

So the auth library you're using should be setting an appropriate status code for your application.

Whereas the other types you listed are just wrappers around setting a specific response status code.