Logged-in only access directs to 404 #265
Comments
|
This could be considered expected behaviour - broadly, if a page exists but the user doesn't have permission to view it, the CMS shouldn't expose its existence by redirecting to a login form, which has been an issue in the past. Perhaps there should be an exception for the root (home) page, though - every site has one, and since it doesn't have a visible slug it wouldn't be exposing any unique information. |
|
I think from the settings tab of the site this should redirect to a login form, you’re essentially saying protect the entire site, for page level settings though perhaps not |
|
Right, so if all URLs, valid or not, redirected to the login form this would make sense - but if there is different behaviour between trying to load a real page you don't have access to, and trying to load a non-existent page, that's leaking information (it may seem inconsequential, but there is the risk of competitors trawling potential URLs to identify upcoming product launches for example). |
|
To @Cheddam's point, I've updated the description to make this clear, namely:
I raised this in this module because I thought the behaviour differed from a cwp-installer site. I've since retested and can't see a difference. Perhaps there's a better place for this issue? To be clear, my expectation is that no matter whether the page exists or not, the visitor should always be directed to a login form. |
|
I guess that’d be a behaviour change to what’s there now but it makes sense to me. +1 |
Overview
Following the following test scenario:
Steps to recreate
Test definition
(FAIL) 7. Then I should see the login form
Actual result: 7. Website visiter is taken to the default 404 page when visiting a fake page
Expected result: 7. Then I should see the login form
Version
4.5.rc-1
The text was updated successfully, but these errors were encountered: