Re: Worst Error Message?
From: Jeremy Pereira <jeremyp_at_jeremyp.net>
Date: Sun, 31 Jul 2011 21:41:19 +0100
On 31 Jul 2011, at 17:46, Rafael Heise wrote:
> In my opinion, as a network administrator, I don't want to show to my end users why the user shouldn't commit anything in the repository.
In my opinion as a Subversion user, that sucks. I think I'll switch to Mercurial. Oh, no wait, the Subversion team agreed with me and changed the message.
> Because as Les Mikesell said, the message could show someway to workaround and allow the user to commit something without permission.
If there *is* a work around, that is a security fail anyway. I hope, for your employers sake, you do not rely on security through obscurity.
> I think the current message, 403-forbidden is a excellent message because when the end user sees this message, the user needs to call me and ask why is not possible to commit, and then I can explain that the folder, for that user, is only for read.
I think it is a terrible message, because, if I see "403 forbidden" I call the network admin to find out why the web server is broken. If I see "You do not have permission to commit to $URL" I call the configuration manager to apply to join the list of committers.
Notwithstanding that the "403 forbidden" exposes a detail of implementation that you think could lead to a work around.
> If he/she need to commit something to that folder, the user need to talk with someone who has permission. Or ask for the administrator to change the permissions.
So where's the harm in telling them that in their native language rather than expecting them to understand HTTP response codes?
> I guess a lot of users gets confuse about the sides, and as a lot of people are both (user and administrator) they just think the messages should show in the client-side "what is wrong" to fix it in the server, but the messages are not to the client-side know how to fix in the server but just to let the users know that they CAN NOT commit anything because they have no permission, just it.
If a user is not meant to have permission to commit stuff to the repository, they certainly shouldn't have the necessary admin rights on the server to fix the problem.
This is an archived mail posted to the Subversion Users mailing list.