Security error semantics are unclear

Question

Closed this issue 6 years ago · 0 comments

After discussion in the foam Slack channel, it was decided that there should be two separate exceptions with two different meanings:

AuthenticationException should be thrown when a user is not logged in.
AuthorizationException should be thrown when a user is logged in but tries to do something they don't have permission to do.

Furthermore, both exceptions should be custom-made so that they're unchecked.

The catch-all redirect to the login form should remain in place, but only for AuthenticationExceptions.