Security error semantics are unclear
Closed this issue · 0 comments
TW80000 commented
After discussion in the foam Slack channel, it was decided that there should be two separate exceptions with two different meanings:
AuthenticationException
should be thrown when a user is not logged in.AuthorizationException
should be thrown when a user is logged in but tries to do something they don't have permission to do.
Furthermore, both exceptions should be custom-made so that they're unchecked.
The catch-all redirect to the login form should remain in place, but only for AuthenticationException
s.