[MAGNOLIA-3698] Authentication required for http://demopublic.magnolia-cms.com/data Created: 18/May/11 Updated: 03/Dec/13 Resolved: 03/Dec/13 |
|
| Status: | Closed |
| Project: | Magnolia |
| Component/s: | security |
| Affects Version/s: | 4.4.3 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Neutral |
| Reporter: | Andrea Castelli | Assignee: | Philipp Bärfuss |
| Resolution: | Won't Fix | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Template: |
|
| Acceptance criteria: |
Empty
|
| Task DoD: |
[ ]*
Doc/release notes changes? Comment present?
[ ]*
Downstream builds green?
[ ]*
Solution information and context easily available?
[ ]*
Tests
[ ]*
FixVersion filled and not yet released
[ ] 
Architecture Decision Record (ADR)
|
| Bug DoR: |
[ ]*
Steps to reproduce, expected, and actual results filled
[ ]*
Affected version filled
|
| Date of First Response: |
| Description |
|
The following url: http://demopublic.magnolia-cms.com/data returns the authetication form. After the credentials are submitted a 404 is returned. By me, the 404 error should be returned, without the authetication form. Thank you. |
| Comments |
| Comment by Magnolia International [ 19/May/11 ] |
|
This is most likely related to the data URI2RepositoryMapping; anonymous user having no permissions to the data workspace, this explains that. However I agree that the behavior is unexpected. |
| Comment by Andrea Castelli [ 19/May/11 ] |
|
Thank you for the check. This unexpected behavior was pointed out by a customer concerned about the security. |
| Comment by Philipp Bärfuss [ 20/May/11 ] |
|
If the user (anonymous in this case) has enough permissions he will see the 404. I consider it correct that the permissions are checked before we try to access the content. As far I know this is also the case in apache. The server won't let you know if a file exists unless you have read permissions. Am I wrong? |
| Comment by Andrea Castelli [ 20/May/11 ] |
|
You are right. I understand what you mean from a Magnolia's point of view. But from a user's point of view this is not the best behavior. I would like to receive a 404 response like the other unexisting pages. If I don't want to receive the mgnl login form I should set a rule before the request is managed by Magnolia. |