On Sat, Jul 30, 2011 at 3:10 PM, Les Mikesell <lesmikesell_at_gmail.com> wrote:
> On 7/30/11 1:14 PM, Jeremy Pereira wrote:
>>
>> On 30 Jul 2011, at 18:17, Les Mikesell wrote:
>>
>>>
>>> '403 forbidden' makes reasonable sense for a client-side message to
>>> someone who shouldn't know internal details anyway.
>>
>> Seriously? You think an HTTP response code (which *is* an internal
>> detail) is an acceptable error message. You think it makes sense? Why is
>> 403 forbidden? Oh, right, that's just a code. Ok what is forbidden? Is it
>> me? the repository? writing to the repository? writing to a particular
>> file? Why is it forbidden? Is it because it is Tuesday? WHY???!!!!
>>
>> It's a useless error message. It's even pretty useless to the average
>> person when they are trying to use a browser to access a URL.
>
> From a security perspective it is a bad idea to tell a network client that
> is doing something you have explicitly denied any of the details of how the
> system is configured to prevent it. Working correctly is usually a yes or
> no question and this answer is clearly 'no'.
>
>>> Is something better in the apache error log where the sysadmin who set it
>>> up wrong should be looking?
>>
>> Except that the administrator might not have set up the repository wrong.
>> He might have made it deliberately read only. Users should not have to
>> trawl Apache logs to find out that they are not allowed to commit to a
>> repository.
>
> Right, if the system is intentionally set up for read-only access, the user
> should not get a hint about how to work around it, and it won't do them any
> particular good to know if it is denied in the http config, the
> authorization setup, or the filesystem. Really, what do you need to know
> as an end user besides that your commit was denied?
When I, as a user, am denied access to something, it's very helpful to
know at which level of the setup my access was denied in order to
*fix* it. And it's helpful for me, as an admin, to get an error
message that reveals as much as possible about the problem so that I
can fix it if the problem is my fault.
Received on 2011-07-31 00:04:39 CEST