[geeklog-devel] Geeklog and 404 Errors

[Dirk Haun]

Tom wrote:

> 1) If the id  of the item exists or not (staticpage, article, topic,
> comment, etc) and if they have access to it or not. Right now the message
> tells the user the item either doesn't exist or they do not have access.
> Basically we are telling them it is a 404 or 403. The problem is when search
> engines find these type of links they do not realize it is a 404 or 403 and
> proceed to index the page. I still think we should set a 404 error and have
> a general message (like how 404.php works) stating that the page doesn't
> exist or that they may not have access and then point them to the home page
> or search page. A 404 error gives them less information that a 403 error.


Let's see: A 404 would be an improvement over the current situation. And that includes the situations where a 403 would be more appropriate. A malicious user trying to gather whatever information that way would still not be able to tell the difference between "doesn't exist" and "not allowed". A bot would never be able to access a 403'd page anyway, so we might as well tell them that the page doesn't exist.

In other words, if we always send a 404 instead of always redirecting to the front page (for non-existing items), we would improve things and still not give any information away. Right?


> 2) Going over the page limits for things like comments and topics. I think
> this one is relatively straight forward and we should return a 404.

I had a quick look through the list of HTTP status codes to see if there's anything that would be more appropriate but I don't see anything (some come close, but refer to specific HTTP header fields which we don't use).

So: What Vinny said.

bye, Dirk


-- 
http://www.themobilepresenter.com/