Redirecting to 404 ? incorrectly or by design ? #4088
Comments
fix #4088 - redirect to login if not authenticated
|
I believe this logic was affected by the refactoring for 5.1 and also the introduction of the Page Effective/Expiry in 5.0. There are a lot of combinations to test ( static vs interactive rendering, authenticated vs unauthenticated, page effective/expiry valid vs invalid, page view permissions allowed vs restricted ) but I believe PR #4090 resolves them all. |
|
@sbwalker 404 is supposed to be for admin pages. |
|
@thabaum 404 is supposed to be used for multiple scenarios:
|
@sbwalker to me this feels wrong. especially scenario #2 no-permissions should generate a 403, not a 404. Don't you agree? |
|
@iJungleboy the use of the term "404" is probably not correct here. This is focused on the UI behavior of the application when a user requests a Url and the framework is unable to navigate the user to that Url. In these cases there is a "friendly" page which the user is redirected to which can be customized with whatever content you want. The "friendly" page has a path of "/404". In regards to permissions, this has been debated in the past. Some people feel that the strict HTTP status codes should be used. Others feel that if a page exists in a site and an unauthorized user tries to access it, revealing that the page actually exists (ie. via a 403) is a security disclosure issue, so it would be better to not reveal that the page exists. Currently Oqtane only has a single "friendly" page for these types of scenarios. |
When an unauthenticated user navigates to a know page in the site ie in a framework default site it would be /private , the user is directed to 404, page does not exist. If the page exists then would it not be a better experience to direct the user to Login to authenticate or register or navigate away ?
The text was updated successfully, but these errors were encountered: