-
Bug
-
Resolution: Fixed
-
Medium
-
2.5.5, 2.5.6
-
None
When a user doesn't have view permission to view a space, he/she receives 404 page when accessing URLs from this space.
This is a bad UI design. Instead an "Access denied" error should be displayed to communicate clearly what the user needs to do to resolve the problem (request for space permissions).
When a user tries access a page with page level restrictions, and this user is not authorized to view the page, an "Access Denied" error is displayed. This is exactly this same behavior that should be used when user doesn't have space level permissions.
- is duplicated by
-
CONFSERVER-7073 Link to restricted pages that don't reveal page space/title - make tinyURLs give 'Page Not Found' if user lacks View permission
- Closed
- is related to
-
-
- Closed
-
-
- Closed
- relates to
-
- Closed
[CONFSERVER-9239] "Page not found" (404) is displayed to users without view permissions, should be "Access denied"
Igor Minar
added a comment - I believe the remote api could be used to determine existence of spaces/pages too.
Igor Minar
added a comment - I believe the remote api could be used to determine existence of spaces/pages too. Matt's point above is undermined slightly by the fact that right now you can go to /display/SPACEKEY and it will either 404 or notpermitted based on whether the space exists or not.
Fail.
I think the more helpful error message is the way to go, as well as significantly reducing the complexity of this task.
Igor Minar
added a comment - Matt,
I understand that you are trying to hide the existence of a protected space and I have to admit that for a long time I thought that that was the right approach, but after seen too many confused users, I'd really like the error message to be changed.
Don's idea about sounds really good. How about changing the error page to "Page does not exist or you don't have permission to access it".
Igor Minar
added a comment - Matt,
I understand that you are trying to hide the existence of a protected space and I have to admit that for a long time I thought that that was the right approach, but after seen too many confused users, I'd really like the error message to be changed.
Don's idea about sounds really good. How about changing the error page to "Page does not exist or you don't have permission to access it". Perhaps the UI for the 404 page should indicate that the page may exist in a space they do not have access to?
Igor, this is by design. Confluence doesn't want to leak information about the existence or non-existence of spaces which users don't have permission to see. Hence, you get a page-not-found response when visiting a page in a space you don't have access to view.
However, page permissions are a different matter. You can tell whether a page exists in a space you have access to by creating a link to it. This is why there is a difference between the response for a page you don't have access to and a space you don't have access to.
If this is confusing, we would consider an improvement request to change the behaviour, but we don't currently consider this a bug. Please let me know how you'd like to proceed.
I agree. It would be much less confusing for users if the error page listed the possibility that they don't have permission, e.g. "The page you were trying to reach could not be found: it may have been renamed or moved to another space, the name you requested may be incomplete, or you may not have permission to view it."
Igor Minar
added a comment - A similar bug report (but not a dupe) can be found here: http://jira.atlassian.com/browse/CONF-7073
Igor Minar
added a comment - A similar bug report (but not a dupe) can be found here: http://jira.atlassian.com/browse/CONF-7073 
I've changed the wording of the 404 page to the following:
I'll file a separate issue to try to make the handling of non-existent/non-viewable spaces more consistent but that's unlikely to fit in a point release.