Feature #14601

Improve returned HTTP status code for requests for account/show

Added by Mischa The Evil about 4 years ago. Updated about 4 years ago.

Status:NewStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Accounts / authentication
Target version:-
Resolution:

Description

I noticed this behavior while reviewing #6688.

User Miriam Blumenstein (id: 43592) is watching the issue. Clicking through to account/show leads to a 404 - The page you were trying to access doesn't exist or has been removed., which lets me think the user has been deleted. Nonetheless is the user still (rendered as) a watcher of the issue and still proposed as a watcher of objects (in 'search for watchers' dialog).

I tried to reproduce this on m.redmine.org but was not successful.


Related issues

Related to Redmine - Patch #18128: Make User profile 404 rendering more consistent (and spee... Closed

History

#1 Updated by Jean-Philippe Lang about 4 years ago

Actually this user is absolutely not deleted. It's just that non-admin users are not allowed to view all users:
source:/tags/2.3.2/app/controllers/users_controller.rb#L68

Maybe a 403 would be more appropriate.

#2 Updated by William Li about 4 years ago

Jean-Philippe Lang wrote:

Actually this user is absolutely not deleted. It's just that non-admin users are not allowed to view all users:
source:/tags/2.3.2/app/controllers/users_controller.rb#L68

Maybe a 403 would be more appropriate.

I suggest that when the user is active, should return a 403 response instead.
If the user is not active, still return 404

#3 Updated by Mischa The Evil about 4 years ago

  • Tracker changed from Defect to Feature
  • Subject changed from Seemingly deleted users still appear as watcher-candidates and actual watchers to Improve returned HTTP status code for requests for account/show
  • Category changed from Website (redmine.org) to Accounts / authentication
  • Assignee deleted (Jean-Philippe Lang)

Jean-Philippe Lang wrote:

Actually this user is absolutely not deleted. It's just that non-admin users are not allowed to view all users:
source:/tags/2.3.2/app/controllers/users_controller.rb#L68

Thanks for this info! I wasn't aware of these conditions at all and I obviously failed to check the corresponding controller action before posting :-/
OT: this new (to me) info sheds a new light on #11724...

William Li wrote:

Jean-Philippe Lang wrote:

[...]

Maybe a 403 would be more appropriate.

I suggest that when the user is active, should return a 403 response instead.
If the user is not active, still return 404

I tend to agree with William on this but I am not sure whether or not a 404 is the best option when a user is locked (in contrast to a user who is registered but no activated).

#4 Updated by Mischa The Evil almost 3 years ago

  • Related to Patch #18128: Make User profile 404 rendering more consistent (and speed up Users#show API) added

Also available in: Atom PDF