Please vote in the moderator election - it will be open for the next few days.
@LS: Please update the first post to reflect this.
Offline
XenoK wrote:
by the way, it's giving a 404 error.
What is?
If you're referring to the election page, it always gives a 404 if you aren't logged in.
Last edited by jvvg (2012-09-30 21:21:48)
Offline
it only gives a 404 if you're not logged in
Offline
veggieman001 wrote:
it only gives a 404 if you're not logged in
Yeah, because of the way we programmed permissions, if you don't have permissions necessary to view a page, it just gives a 404. (another code idea I borrowed from Scratch )
It's nice for admin pages, so people won't know the URLs. For other things, we didn't want to write more code.
Last edited by jvvg (2012-09-30 21:25:01)
Offline
jvvg wrote:
veggieman001 wrote:
it only gives a 404 if you're not logged in
Yeah, because of the way we programmed permissions, if you don't have permissions necessary to view a page, it just gives a 404. (another code idea I borrowed from Scratch )
It's nice for admin pages, so people won't know the URLs. For other things, we didn't want to write more code.
HTTP 403 is much more appropriate in this situation.
Offline
nXIII wrote:
jvvg wrote:
veggieman001 wrote:
it only gives a 404 if you're not logged in
Yeah, because of the way we programmed permissions, if you don't have permissions necessary to view a page, it just gives a 404. (another code idea I borrowed from Scratch )
It's nice for admin pages, so people won't know the URLs. For other things, we didn't want to write more code.HTTP 403 is much more appropriate in this situation.
Well, maybe we don't really want people to know where exactly the page is at
Offline
LS97 wrote:
nXIII wrote:
jvvg wrote:
Yeah, because of the way we programmed permissions, if you don't have permissions necessary to view a page, it just gives a 404. (another code idea I borrowed from Scratch )
It's nice for admin pages, so people won't know the URLs. For other things, we didn't want to write more code.HTTP 403 is much more appropriate in this situation.
Well, maybe we don't really want people to know where exactly the page is at
That's why admin pages give a 404. If it gives a 403, people will know the URL.
For the other ones, I'm just too lazy to write new code.
Offline
jvvg wrote:
LS97 wrote:
nXIII wrote:
HTTP 403 is much more appropriate in this situation.Well, maybe we don't really want people to know where exactly the page is at
That's why admin pages give a 404. If it gives a 403, people will know the URL.
For the other ones, I'm just too lazy to write new code.
Although you could show a 403 for permissions < 3 and a 404 for permission 3...
Offline
LS97 wrote:
jvvg wrote:
LS97 wrote:
Well, maybe we don't really want people to know where exactly the page is atThat's why admin pages give a 404. If it gives a 403, people will know the URL.
For the other ones, I'm just too lazy to write new code.Although you could show a 403 for permissions < 3 and a 404 for permission 3...
That's true.
I might implement that later today.
Offline
LS97 wrote:
Well, maybe we don't really want people to know where exactly the page is at
It doesn't matter if they have the URL, because they can't access it.
EDIT: Alternatively, always return a 403 on admin directories, which meets both requirements (the URLs are not exposed and the correct status code is returned)
Last edited by nXIII (2012-10-01 18:12:40)
Offline
nXIII wrote:
LS97 wrote:
Well, maybe we don't really want people to know where exactly the page is at
It doesn't matter if they have the URL, because they can't access it.
EDIT: Alternatively, always return a 403 on admin directories, which meets both requirements (the URLs are not exposed and the correct status code is returned)
Returning a 403 does expose the URL, because people will see that the page does in fact exist.
The 404 tells the user that there is no page there and they are just wasting their time.
Offline
jvvg wrote:
nXIII wrote:
LS97 wrote:
Well, maybe we don't really want people to know where exactly the page is at
It doesn't matter if they have the URL, because they can't access it.
EDIT: Alternatively, always return a 403 on admin directories, which meets both requirements (the URLs are not exposed and the correct status code is returned)Returning a 403 does expose the URL, because people will see that the page does in fact exist.
The 404 tells the user that there is no page there and they are just wasting their time.
though the purpose has sorta already been defeated, cause the site's open source.
Offline
SJRCS_011 wrote:
jvvg wrote:
nXIII wrote:
It doesn't matter if they have the URL, because they can't access it.
EDIT: Alternatively, always return a 403 on admin directories, which meets both requirements (the URLs are not exposed and the correct status code is returned)Returning a 403 does expose the URL, because people will see that the page does in fact exist.
The 404 tells the user that there is no page there and they are just wasting their time.though the purpose has sorta already been defeated, cause the site's open source.
True, but it's the same thing on this website, and I tried to copy a lot of the "good" aspects of ScratchR into the Mod Share Platform IV.
Stuff like the dispatcher, using entirely MySQL, caching data, even the ban screen, they all were related to ScratchR.
Offline
jvvg wrote:
Returning a 403 does expose the URL, because people will see that the page does in fact exist.
The 404 tells the user that there is no page there and they are just wasting their time.
That's not correct: returning a 403 status code unconditionally for a directory if permission is denied does not expose the URL (except for the root protected directory). For example:
Admin:
/admin/index - 200
/admin/ban - 200
/admin/forum/index - 200
/admin/foo - 404
/admin/bar - 404
User:
/admin/index - 403
/admin/ban - 403
/admin/forum/index - 403
/admin/foo - 403
/admin/bar - 403
As you can see, the correct URLs are indistinguishable from the incorrect ones when permission is not granted to the user.
Last edited by nXIII (2012-10-01 19:53:31)
Offline
nXIII wrote:
jvvg wrote:
Returning a 403 does expose the URL, because people will see that the page does in fact exist.
The 404 tells the user that there is no page there and they are just wasting their time.That's not correct: returning a 403 status code unconditionally for a directory if permission is denied does not expose the URL (except for the root protected directory). For example:
Admin:
/admin/index - 200
/admin/ban - 200
/admin/forum/index - 200
/admin/foo - 404
/admin/bar - 404
User:
/admin/index - 403
/admin/ban - 403
/admin/forum/index - 403
/admin/foo - 403
/admin/bar - 403
As you can see, the correct URLs are indistinguishable from the incorrect ones when permission is not granted to the user.
However, it does reveal that the admin panel is at /admin, while it might be somewhere else (I happen to know it's /administration here). For Mod Share, you need to find out yourself.
Offline
You can't hide it if it is to be open source.
^ wooo 6 two letter words in a row! COMBO!
EDIT: https://www.assembla.com/code/mod-share … ages/admin
Last edited by MathWizz (2012-10-01 20:31:39)
Offline
MathWizz wrote:
You can't hide it if it is to be open source.
^ wooo 6 two letter words in a row! COMBO!
EDIT: https://www.assembla.com/code/mod-share … ages/admin
Well, you can hide the URL on the service (even though you obviously can't in the source), but that's pretty useless.
In summary: return 403s for forbidden pages and 404s for nonexistent pages. If your auth actually works, nobody cares if they have the URLs because they can't access them.
Last edited by nXIII (2012-10-01 20:56:52)
Offline
nXIII wrote:
MathWizz wrote:
You can't hide it if it is to be open source.
^ wooo 6 two letter words in a row! COMBO!
EDIT: https://www.assembla.com/code/mod-share … ages/adminWell, you can hide the URL on the service (even though you obviously can't in the source), but that's pretty useless.
Then there's that laziness factor.
I'll do it someday.
Also, for those of you wanting to see the latest changes in the repo, be patient. We push changes there every few weeks, because it takes a while to prepare the code for public access (e.g. making the database structure files and censoring database passwords)
Offline
jvvg wrote:
Also, for those of you wanting to see the latest changes in the repo, be patient. We push changes there every few weeks, because it takes a while to prepare the code for public access (e.g. making the database structure files and censoring database passwords)
Just use a configuration file and exclude it from the repo (or push a default one with comments explaining each option).
Offline
nXIII wrote:
jvvg wrote:
Also, for those of you wanting to see the latest changes in the repo, be patient. We push changes there every few weeks, because it takes a while to prepare the code for public access (e.g. making the database structure files and censoring database passwords)
Just use a configuration file and exclude it from the repo (or push a default one with comments explaining each option).
Also, the other problem is that LS doesn't know much about Git, and doesn't want the hassle of pushing changes every time, so we decided it would be easier just to push changes every few weeks. Also, we don't want to have all of those database update files that Scratch has. We like to only have 2-3 database files.
Last edited by jvvg (2012-10-01 21:07:09)
Offline
Let's rephrase that: LS97 doesn't like git much because he isn't used to working with it too often.
The main problem with the delayed change pushes is that we have to export the databases but without the sensitive information like passwords.
Offline