Closed Bug 680104 Opened 14 years ago Closed 14 years ago

Unvouched profiles pages should show a friendly 403 (not a 500)

Categories

(Participation Infrastructure :: Phonebook, defect, P1)

Product:
Participation Infrastructure
Component:
Phonebook
Platform:
x86
macOS
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: davedash, Unassigned)

Details

Currently the 404 page we throw out isn't really accurate. 404 is resource not found, but the resource is found, we're just not showing it. So that implies that it's more along the lines of a 403 which seems harsh, but we can have a friendly message like: this profile is not publicly viewable yet CCing tofumatt for his opinion on status codes and whatnot.
Target Milestone: --- → 1.0
Yes, the status code on this error/page should be 403, but it's a pretty important/specific scenario in terms of this app. It doesn't need to be a generic 403 page; what Dave suggests is spot-on. The resource does exist; a 404 is wrong and uninformative, so let's make this change.
Sorry, this does not throw a 404 but rather a 500... the page itself exists but when unvouched, is not accessible to the public
This also happens with search; we should let people know why they aren't getting results when they search.
Summary: Unvouched profiles should get a friendlier 404 page → Unvouched profiles pages should show a friendly 403 (not a 500)
I'm not sure about the STR, but... This is by design to keep plausible deniability. I should not be able to test for the existence of profiles.
(In reply to Austin King [:ozten] from comment #4) > I'm not sure about the STR, but... > > This is by design to keep plausible deniability. > > I should not be able to test for the existence of profiles. I don't agree with this. for one, the profile sign up page tells you explicitly to share the link. If you then pull the link up in a browser without being logged in to an appropriate account, it throws the 500 error. This is a mixed message to new users and can become confusing. Secondly, plausible deniability shouldn't count here, unless the random profile ID (in my case, 1d05f8003a) can be decoded to user-identifiable data.
> I don't agree with this. > > for one, the profile sign up page tells you explicitly to share the link. > If you then pull the link up in a browser without being logged in to an > appropriate account, it throws the 500 error. This is a mixed message to > new users and can become confusing. > > Secondly, plausible deniability shouldn't count here, unless the random > profile ID (in my case, 1d05f8003a) can be decoded to user-identifiable data. +1 Even if we had user chosen usernames... going to /ozten and seeing that you have a profile that I can't see doesn't mean anything.
Priority: -- → P1
Looks like we force login now. Makes sense.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Verified that trying to access a profile as anonymous forces you to log in.
Status: RESOLVED → VERIFIED
Component: mozillians.org → Phonebook
Product: Websites → Community Tools
QA Contact: mozillians-org → phonebook
Target Milestone: 1.0 → ---
Version: unspecified → other
You need to log in before you can comment on or make changes to this bug.