-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Response types for forbidden resources #454
Comments
Resolves #454 This makes it possible to "hide" forbidden resources. That is, rather than responding with a 403 Forbidden code, an admin can configure the server to respond with a 404 Not Found instead. This may be useful for applications that wish to have greater privacy controls.
Resolves #454 This makes it possible to "hide" forbidden resources. That is, rather than responding with a 403 Forbidden code, an admin can configure the server to respond with a 404 Not Found instead. This may be useful for applications that wish to have greater privacy controls.
I'm not going to lie down in the road over this, but I must disagree. This seems like a perfect example of something that should be done at an outer layer of architecture (e.g. in the caching layer or via some other proxy). Converting 403->404 inside the repository means that clients for indexing or journaling will not know whether to authenticate or to assume a missing resource. Logs for proxy layers will contain less information. "Downsampling" information internally seems premature. This seems to me like a perfect candidate for Trellis judo: doing the work not by adding code (to maintain forever) but by documenting a sound pattern that can be implemented in your choice of technology (httpd, Camel, etc.). |
That is an excellent argument. There are multiple ways one could handle a mapping of 403 -> 404 codes in various points of external layers. Putting this inside the AuthZ code adds complexity -- complexity that could be clearly handled elsewhere. |
If it's worth doing, it's worth not doing. Something about that doesn't sound quite right, but I'm sure it all works out. |
For background, please see solid/specification#14
From section 6.5.3 of RFC 7231
Trellis currently conforms to this. The HTTP specification goes on to state:
It would be nice to make this response type configurable in Trellis. That is, by default, a
403 Forbidden
response will be generated for this condition, but a server administrator could configure the server to "hide" these resources by having it respond instead with a404 Not Found
.The text was updated successfully, but these errors were encountered: