Issue #5046: Private issues return 404 when user does not have access - pagure

pagure

#5046 Private issues return 404 when user does not have access

Closed: Invalid 3 years ago by ngompa. Opened 3 years ago by bcotton.

When an authenticated user does not have access to a private issue, Pagure returns HTTP 404 (Not found). 403 (Forbidden) seems more appropriate in this case.

ngompa commented 3 years ago

We intentionally return HTTP 404 for private issues you lack access to. The security theory was that HTTP 403 is an information leak in itself, so using 404 error ensures you can't tell the difference among nonexistent, deleted, or private issues.

Metadata Update from @ngompa:
- Issue close_status updated to: Invalid
- Issue status updated to: Closed (was: Open)

3 years ago

pingou commented 3 years ago

We intentionally return HTTP 404 for private issues you lack access to. The security theory was that HTTP 403 is an information leak in itself, so using 404 error ensures you can't tell the difference among nonexistent, deleted, or private issues.

Indeed :)

Metadata

Assignee

None

Tags

None

Blocking

None

Depending on

None

Priority

None

Milestone

None

pagure

Source Code

Documentation

#5046 Private issues return 404 when user does not have access Closed: Invalid 3 years ago by ngompa. Opened 3 years ago by bcotton.

Metadata

#5046 Private issues return 404 when user does not have access

Closed: Invalid 3 years ago by ngompa. Opened 3 years ago by bcotton.