HTTP response codes

[SiNNuT]

I'm trying to build some sort of 'frontend' administration area where users with the right roles can add and edit certain pages. So basically a CRUD area (minus the D in my case). I don't want to give those users access to the PW admin.

I have created a template which manages accesss, children of a page using this template will inherit access from this. First thing i did was to remove the guest role from roles that can access pages using the template.

Visiting the pages on the frontend as guest results in 404. This is expected, because that is the setting i chose for:

If a user attempts to access a page using this template, and doesn't have access to the page, what should it do?

In the ProcessPageView.module a 404 header is set.

Wouldn't it be appropriate to throw a '401 Unauthorized' response code? 404 is often used as catchall but in reality is not for resources that do exist.

So basically the addition of a Wire401Exception? We could have a 401 page in addition to the 404 page currently in a fresh PW installation.

Any thoughts?

[teppo]

Sounds reasonable (and standards-vise valid), though I'm not sure I see whole lot of use for this. Depends on the situation, of course. (In your case I'd probably rather redirect unauthorized users to a page containing custom login form and proper description of what's happening.)

On the other hand, 404 is most of the time exactly what I want to show in these cases, cause there's usually no reason to let the user now that there's something here but she/he just doesn't have the right to access it -- kind of a "security through obscurity" thing really..

[DaveP]

While it might be 'correct' to throw a 401, I see no practical reason why a 404 wouldn't be acceptable. You won't want search engines indexing any of these pages, or any other user agent responding specifically to a 401, so a 404 would work just as well.

[SiNNuT]

I guess you guys are right. Was looking to much into the 'correctness' of things.