WordPress.org

Make WordPress Core

Opened 15 months ago

Closed 3 months ago

#23407 closed defect (bug) (invalid)

http 403 should be returned for private content

Reported by: mark-k Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.4
Component: General Keywords:
Focuses: Cc:

Description

Right now a 404 is returned which indicates that there is no content at the URL while all you need to do in order to see it is to login.

Same probably applies to posts which where published and returned to draft state.

Change History (4)

comment:1 mark-k15 months ago

on second thought maybe it is better to simply redirect to the login page

comment:2 follow-up: TobiasBg15 months ago

Both the 403 and the redirect would reveal that there is private content at that URL, which might not be the desired behavior.

comment:3 in reply to: ↑ 2 mark-k15 months ago

Replying to TobiasBg:

Both the 403 and the redirect would reveal that there is private content at that URL, which might not be the desired behavior.

I see where you coming from but I disagree. No one just scans addresses in a hope that he will discover by pure chance that at address X there is a content he can't even guess anything about. I assume that most people get to this kind of URL because they got it in mail or SMS and they know they are supposed to be able to access the content, but what they see is a "no content here" page.

comment:4 nacin3 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

Private is not meant to be "you need an account" private. It is meant to be "it doesn't exist" private. Let's not tip our hats with a 403.

Note: See TracTickets for help on using tickets.