[dokuwiki] Re: Dokuwiki http headers...
- From: Andreas Haerter <dokuwiki@xxxxxxxxxxxxxxxxxx>
- To: dokuwiki@xxxxxxxxxxxxx
- Date: Fri, 22 Oct 2010 17:04:38 +0200
Am 22.10.2010 16:55, schrieb Robin Getz:
> I noticed that when getting a page which returns a ACL error (denied.txt)
>
> The HTTP status code:
>> HTTP Status Code: HTTP/1.1 200 OK
>
> Doesn't it make sense to return a 404 on an ACL error? If you don't want
> people to see it, tell them it doesn't exist...
I don't think this is a good idea.
Think of multiuser environments: how should someone be able to report an
admin e.g. a script needs access to something if he thinks the error is
on his side (e.g. URL typo or something) cause he get a 404?
Sure, the problem is not a big one but debugging gets harder. I don't
like the situation "404" may stand for "not found" and "no access". If I
get a "200 OK" but nothing works, I will look at the page and see the
"access denied" message, everything is clear to me.
Maybe 403 would be a better choice, but "hiding" something with a 404
does not make sense (IMHO) cause it is simply misleading and may confuse
without any real benefit regarding security.
--
Andreas <http://blog.andreas-haerter.com>
() ascii ribbon campaign - against html e-mail
/\ www.asciiribbon.org - against proprietary attachments
--
DokuWiki mailing list - more info at
http://www.dokuwiki.org/mailinglist
Other related posts:
