[MAGNOLIA-3698] Authentication required for http://demopublic.magnolia-cms.com/data Created: 18/May/11  Updated: 03/Dec/13  Resolved: 03/Dec/13

Status: Closed
Project: Magnolia
Component/s: security
Affects Version/s: 4.4.3
Fix Version/s: None

Type: Bug Priority: Neutral
Reporter: Andrea Castelli Assignee: Philipp Bärfuss
Resolution: Won't Fix Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:

 Description   

The following url:

http://demopublic.magnolia-cms.com/data

returns the authetication form. After the credentials are submitted a 404 is returned.

By me, the 404 error should be returned, without the authetication form.

Thank you.



 Comments   
Comment by Magnolia International [ 19/May/11 ]

This is most likely related to the data URI2RepositoryMapping; anonymous user having no permissions to the data workspace, this explains that. However I agree that the behavior is unexpected.

Comment by Andrea Castelli [ 19/May/11 ]

Thank you for the check. This unexpected behavior was pointed out by a customer concerned about the security.

Comment by Philipp Bärfuss [ 20/May/11 ]

If the user (anonymous in this case) has enough permissions he will see the 404. I consider it correct that the permissions are checked before we try to access the content. As far I know this is also the case in apache. The server won't let you know if a file exists unless you have read permissions.

Am I wrong?

Comment by Andrea Castelli [ 20/May/11 ]

You are right. I understand what you mean from a Magnolia's point of view.

But from a user's point of view this is not the best behavior. I would like to receive a 404 response like the other unexisting pages.

If I don't want to receive the mgnl login form I should set a rule before the request is managed by Magnolia.

Generated at Mon Feb 12 03:48:50 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.