Closed Bug 634977 Opened 14 years ago Closed 14 years ago

Internal Error 500 Generated for Unauthorized Requests

Categories

(developer.mozilla.org Graveyard :: Demo Studio / Dev Derby, defect)

Product:
developer.mozilla.org Graveyard
Component:
Demo Studio / Dev Derby
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: mcoates, Unassigned)

References

(
URL
)

Details

(Whiteboard: [infrasec:error][ws:low])

Issue A 500 internal error is generated when a user requests a url that they are not authorized to access. Steps to reproduce: 1. As an anonymous user browse to the following URL: https://developer-stage9.mozilla.org/en-US/demos/detail/test-demo/comment/23/delete/ 2. Compare this vs the following URL that is properly handled https://developer-stage9.mozilla.org/en-US/demos/detail/test-demo/comment/23/foo/ 3. The original /delete url is a valid url and would work if the user is authorized to modify that comment. Recommended Remediation Identify the error handling and update it to gracefully handle an unauthorized request to a valid URL.
This should fix the internal server error: https://github.com/fwenzel/mdn/commit/6e12fe8f247386f9f2bb727795b96d5edc0f771e There's a remaining problem that there's no templated 403 page for the site, so it just ends up with a generic "Access denied" message. I'll file a separate bug for that. (bug 635129)
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
Component: Demos → Demo Studio / Dev Derby
Product: developer.mozilla.org → developer.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.