Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-19915

return an http error code 403 by default on access denied pages (kernel error 1)

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Medium
    • Resolution: Unresolved
    • Affects Version/s: 2012.8, 4.7.0
    • Fix Version/s: None
    • Component/s: Misc, Permissions
    • Labels:
      None
    • Environment:

      any

      Description

      when a kernel error "1" is emitted, by default eZ sends a response page with a clear error message and a login form.
      But the http resp. code is 200.

      This can be a problem if there is any caching reverse proxy in front, or if the user has set up eZ to emit caching headers using site.ini, the page will be cached.

      Imagine the following scenario
      1. user visits page as anonymous, to which he is denied access
      2. user logs in
      3. user visits the same page again (to which he now has access) => then he will still see the "access denied" page unless he clicks on the "refresh" button.

      The fix: use error.ini to emit a 403 http error code by default with any kernel error 1:

      [ErrorSettings-kernel]
      HTTPError[1]=403

      [HTTPError-403]
      HTTPName=Forbidden

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              gaetano.giunta@ez.no Gaetano Giunta (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated: