Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-19915

return an http error code 403 by default on access denied pages (kernel error 1)

    Details

    • Type: Bug Bug
    • Status: Open
    • Priority: Medium Medium
    • Resolution: Unresolved
    • Affects Version/s: 2012.8, 4.7.0
    • Fix Version/s: None
    • Component/s: Misc, Permissions
    • Labels:
      None
    • Environment:

      any

      Description

      when a kernel error "1" is emitted, by default eZ sends a response page with a clear error message and a login form.
      But the http resp. code is 200.

      This can be a problem if there is any caching reverse proxy in front, or if the user has set up eZ to emit caching headers using site.ini, the page will be cached.

      Imagine the following scenario
      1. user visits page as anonymous, to which he is denied access
      2. user logs in
      3. user visits the same page again (to which he now has access) => then he will still see the "access denied" page unless he clicks on the "refresh" button.

      The fix: use error.ini to emit a 403 http error code by default with any kernel error 1:

      [ErrorSettings-kernel]
      HTTPError[1]=403

      [HTTPError-403]
      HTTPName=Forbidden

        Issue Links

          Activity

          Hide
          Gaetano Giunta (Inactive) added a comment -

          This seems to be also the case for all pages in the backofice.

          Eg: a user tries to download an image using the backoffice siteaccess: http://etc/content/download/yyy/zzz

          he gets back a 200 page, which is in fact not an image at all but a login page, which is not nice

          Show
          Gaetano Giunta (Inactive) added a comment - This seems to be also the case for all pages in the backofice. Eg: a user tries to download an image using the backoffice siteaccess: http://etc/content/download/yyy/zzz he gets back a 200 page, which is in fact not an image at all but a login page, which is not nice
          Show
          Gaetano Giunta (Inactive) added a comment - ps: discussion on appropriate error codes to use along with from-based auth: http://stackoverflow.com/questions/8389253/correct-http-status-code-for-resource-which-requires-authorization http://stackoverflow.com/questions/4301877/http-status-code-for-missing-authentication
          Hide
          Joao Inacio (Inactive) added a comment -

          This has already been implemented in EZP-21337, using HTTP 401

          I think distinguishing between 403: Unauthorized and 401: Forbidden may be a bit (or a lot) more tricky, since IIRC everything is kernel error (1).
          So, 401 seems to be the better default for most cases IMHO...

          Show
          Joao Inacio (Inactive) added a comment - This has already been implemented in EZP-21337 , using HTTP 401 I think distinguishing between 403: Unauthorized and 401: Forbidden may be a bit (or a lot) more tricky, since IIRC everything is kernel error (1). So, 401 seems to be the better default for most cases IMHO...
          Hide
          Jakob Stoeck added a comment - - edited

          The 401 from EZP-21337 does not work for me in 5.1. The /user/login page always returns an HTTP 200 header.

          Show
          Jakob Stoeck added a comment - - edited The 401 from EZP-21337 does not work for me in 5.1. The /user/login page always returns an HTTP 200 header.

            People

            • Assignee:
              Unassigned
              Reporter:
              Gaetano Giunta (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: