displays "Page not found" error when user not logged in

Question

displays "Page not found" error when user not logged in

dpocock opened this issue 7 years ago · 5 comments

If a user is not logged in and they click the link at the bottom of the bursary status email, e.g.

 https://debconf18.debconf.org/users/some_user

the "Page not found" error appears with the text "The page you requested cannot be found"

In this case it should probably show "Unauthorized" and prompt for the user to log in.

Answer 1 · 2018-06-21T07:44:44.000Z

I suspect the end point is designed this way to avoid leaking information about the users that exist to people who are not logged in. Maybe it could be improved though.

Answer 2 · 2018-06-21T07:49:38.000Z

could it simply give the "Unauthorized" error for any username, whether the username is valid or not?

Answer 3 · 2018-07-28T03:09:24.000Z

The better thing would have been to link to the profile redirect page, @olasd.

Answer 4 · 2020-01-31T20:00:49.000Z

Thinking this through a bit. There are six cases:

User list visibility	User exists & accessible	User exists & not accessible	No such user
public	200	403	400
private	200	?	?

The private list constraint requires that the two missing values be the same. Returning a 400 means that a person whose session has timed out will see the page not found template. Returning a 403 means that a logged in user will receive a forbidden page when accessing a non-existent user.

Give this, I'm happy to return a 403 for the private user list in both cases since in a sense this is correct -- all information about the user list is forbidden.

Wafer currently doesn't have a base 403 template though, so we should add one.

Answer 5 · 2020-01-31T20:07:48.000Z

Closed by #454.