On 30 Jul 2011, at 20:10, Les Mikesell wrote: > On 7/30/11 1:14 PM, Jeremy Pereira wrote: >> >> On 30 Jul 2011, at 18:17, Les Mikesell wrote: >> >>> >>> '403 forbidden' makes reasonable sense for a client-side message to someone >>> who shouldn't know internal details anyway. >> >> Seriously? You think an HTTP response code (which *is* an internal detail) >> is an acceptable error message. You think it makes sense? Why is 403 >> forbidden? Oh, right, that's just a code. Ok what is forbidden? Is it me? >> the repository? writing to the repository? writing to a particular file? >> Why is it forbidden? Is it because it is Tuesday? WHY???!!!! >> >> It's a useless error message. It's even pretty useless to the average person >> when they are trying to use a browser to access a URL. > > From a security perspective it is a bad idea to tell a network client that is > doing something you have explicitly denied any of the details of how the > system is configured to prevent it. Working correctly is usually a yes or no > question and this answer is clearly 'no'. >
From a software-that-is-not-a-complete-pig-to-use point of view, this is nonsense. If I'm a user trying to check something in to subversion, "403 forbidden" is useless. I don't know if I've got to the wrong server, mistyped a URL or don't have access rights. If you think the error message "you do not have permission to commit to $URL_THATS_EASY_TO_FIND_IN_THE_WORKING_COPY" is a security risk, you need to think again about what security is. >>> Is something better in the apache error log where the sysadmin who set it >>> up wrong should be looking? >> >> Except that the administrator might not have set up the repository wrong. >> He might have made it deliberately read only. Users should not have to >> trawl Apache logs to find out that they are not allowed to commit to a >> repository. > > Right, if the system is intentionally set up for read-only access, the user > should not get a hint about how to work around it, and it won't do them any > particular good to know if it is denied in the http config, the authorization > setup, or the filesystem. Really, what do you need to know as an end user > besides that your commit was denied? Telling somebody that they only have read access to a repository is not giving them a hint about how to work around it. "403 forbidden" is not telling somebody that they only have read access to a repository (or part of a repository). It's telling them that a web server somewhere doesn't like them. "What a web server? I thought I was using subversion" says the user.
