[TYPO3-v4] HTTP Status and protected pages
Helmut Hummel
helmut.hummel at typo3.org
Mon Mar 14 08:38:07 CET 2011
Hi,
On 13.03.11 22:54, Steffen Kamper wrote:
> if i call a user protected page direct (enter url) then it gives a HTTP
> status 404.
>
> This is wrong imho, and it gives no chance to react correct.
> I would think that 401 "Unauthorized" should be used. that would allow,
> * if user is logged in -> redirect to a page informing that he does not
> have enough rights for this page
> * if not logged in -> redirect to login page
Such redirect handling is currently not part of the core.
> At the moment the pageNotFound_handling is called which doesn't help the
> user.
The pageNotFoundHandler gets all needed information to act as desired
(output a header, redirect to a login page).
Unfortunately this does not work with realurl, because realurl exits
(calls the handler) before the groups are initialized, so it's
impossible to distinguish between "page not found" and "page not
accessible".
Kind regards,
Helmut
--
Helmut Hummel
TYPO3 Security Team Leader
TYPO3 .... inspiring people to share!
Get involved: typo3.org
More information about the TYPO3-project-v4
mailing list