Scratch

You'll notice that visiting the site, you are redirected to the election page. This is in place to get everybody to vote.

by the way, it's giving a 404 error.

it only gives a 404 if you're not logged in

jvvg wrote:

veggieman001 wrote:

it only gives a 404 if you're not logged in

Yeah, because of the way we programmed permissions, if you don't have permissions necessary to view a page, it just gives a 404. (another code idea I borrowed from Scratch  )
It's nice for admin pages, so people won't know the URLs. For other things, we didn't want to write more code.

HTTP 403 is much more appropriate in this situation.

LS97 wrote:

nXIII wrote:

jvvg wrote:

Yeah, because of the way we programmed permissions, if you don't have permissions necessary to view a page, it just gives a 404. (another code idea I borrowed from Scratch  )
It's nice for admin pages, so people won't know the URLs. For other things, we didn't want to write more code.

HTTP 403 is much more appropriate in this situation.

Well, maybe we don't really want people to know where exactly the page is at 

That's why admin pages give a 404. If it gives a 403, people will know the URL.
For the other ones, I'm just too lazy to write new code. 

LS97 wrote:

jvvg wrote:

LS97 wrote:

Well, maybe we don't really want people to know where exactly the page is at 

That's why admin pages give a 404. If it gives a 403, people will know the URL.
For the other ones, I'm just too lazy to write new code. 

Although you could show a 403 for permissions < 3 and a 404 for permission 3...

That's true.
I might implement that later today.

nXIII wrote:

LS97 wrote:

Well, maybe we don't really want people to know where exactly the page is at 

It doesn't matter if they have the URL, because they can't access it.

EDIT: Alternatively, always return a 403 on admin directories, which meets both requirements (the URLs are not exposed and the correct status code is returned)

Returning a 403 does expose the URL, because people will see that the page does in fact exist.
The 404 tells the user that there is no page there and they are just wasting their time.

SJRCS_011 wrote:

jvvg wrote:

nXIII wrote:

It doesn't matter if they have the URL, because they can't access it.

EDIT: Alternatively, always return a 403 on admin directories, which meets both requirements (the URLs are not exposed and the correct status code is returned)

Returning a 403 does expose the URL, because people will see that the page does in fact exist.
The 404 tells the user that there is no page there and they are just wasting their time.

though the purpose has sorta already been defeated, cause the site's open source. 

True, but it's the same thing on this website, and I tried to copy a lot of the "good" aspects of ScratchR into the Mod Share Platform IV.
Stuff like the dispatcher, using entirely MySQL, caching data, even the ban screen, they all were related to ScratchR.

nXIII wrote:

jvvg wrote:

Returning a 403 does expose the URL, because people will see that the page does in fact exist.
The 404 tells the user that there is no page there and they are just wasting their time.

That's not correct: returning a 403 status code unconditionally for a directory if permission is denied does not expose the URL (except for the root protected directory). For example:

Admin:
/admin/index - 200
/admin/ban - 200
/admin/forum/index - 200
/admin/foo - 404
/admin/bar - 404

User:

/admin/index - 403
/admin/ban - 403
/admin/forum/index - 403
/admin/foo - 403
/admin/bar - 403

As you can see, the correct URLs are indistinguishable from the incorrect ones when permission is not granted to the user.

However, it does reveal that the admin panel is at /admin, while it might be somewhere else (I happen to know it's /administration here). For Mod Share, you need to find out yourself.

MathWizz wrote:

You can't hide it if it is to be open source.

^ wooo 6 two letter words in a row! COMBO!

EDIT: https://www.assembla.com/code/mod-share … ages/admin

Well, you can hide the URL on the service (even though you obviously can't in the source), but that's pretty useless.

In summary: return 403s for forbidden pages and 404s for nonexistent pages. If your auth actually works, nobody cares if they have the URLs because they can't access them.

Last edited by nXIII (2012-10-01 20:56:52)

jvvg wrote:

Also, for those of you wanting to see the latest changes in the repo, be patient. We push changes there every few weeks, because it takes a while to prepare the code for public access (e.g. making the database structure files and censoring database passwords)

Just use a configuration file and exclude it from the repo (or push a default one with comments explaining each option).

Let's rephrase that: LS97 doesn't like git much because he isn't used to working with it too often.

The main problem with the delayed change pushes is that we have to export the databases but without the sensitive information like passwords.