On 7/30/11 1:14 PM, Jeremy Pereira wrote:
> On 30 Jul 2011, at 18:17, Les Mikesell wrote:
>> '403 forbidden' makes reasonable sense for a client-side message to someone who shouldn't know internal details anyway.
> Seriously? You think an HTTP response code (which *is* an internal detail) is an acceptable error message. You think it makes sense? Why is 403 forbidden? Oh, right, that's just a code. Ok what is forbidden? Is it me? the repository? writing to the repository? writing to a particular file? Why is it forbidden? Is it because it is Tuesday? WHY???!!!!
> It's a useless error message. It's even pretty useless to the average person when they are trying to use a browser to access a URL.
From a security perspective it is a bad idea to tell a network client that is
doing something you have explicitly denied any of the details of how the system
is configured to prevent it. Working correctly is usually a yes or no question
and this answer is clearly 'no'.
>> Is something better in the apache error log where the sysadmin who set it up wrong should be looking?
> Except that the administrator might not have set up the repository wrong. He might have made it deliberately read only. Users should not have to trawl Apache logs to find out that they are not allowed to commit to a repository.
Right, if the system is intentionally set up for read-only access, the user
should not get a hint about how to work around it, and it won't do them any
particular good to know if it is denied in the http config, the authorization
setup, or the filesystem. Really, what do you need to know as an end user
besides that your commit was denied?
Received on 2011-07-30 21:10:54 CEST