Open
Description
Version used for observed issue: v1.19.0 (looking at the main code, it's still an issue: https://github.com/prometheus/client_golang/blob/main/api/prometheus/v1/api.go#L1453
Currently, some of the API functions to query metrics use a POST method, and fallback to GET when a status "Not allowed" or "Not implemented" is returned; cf DoGetFallback function.
When Prometheus is used behind a RBAC proxy, users might have permissions for GET (associated with reading) but not for POST (associated with writing). So a POST query might return a 403 error while the GET would succeed.
I'd suggest adding a check for 403 response code as a valid trigger for the GET fallback. What do you think? I'm happy to open a PR if that sounds good to you.