https://www.redmine.org/https://www.redmine.org/favicon.ico?16793021292013-08-05T18:19:58ZRedmineRedmine - Feature #14601: Improve returned HTTP status code for requests for account/showhttps://www.redmine.org/issues/14601?journal_id=510012013-08-05T18:19:58ZJean-Philippe Langjp_lang@yahoo.fr
<ul></ul><p>Actually this user is absolutely not deleted. It's just that non-admin users are not allowed to view all users:<br /><a class="source" href="https://www.redmine.org/projects/redmine/repository/svn/entry/tags/2.3.2/app/controllers/users_controller.rb#L68">source:/tags/2.3.2/app/controllers/users_controller.rb#L68</a></p>
<p>Maybe a 403 would be more appropriate.</p> Redmine - Feature #14601: Improve returned HTTP status code for requests for account/showhttps://www.redmine.org/issues/14601?journal_id=510252013-08-06T06:33:46ZWilliam Li
<ul></ul><p>Jean-Philippe Lang wrote:</p>
<blockquote>
<p>Actually this user is absolutely not deleted. It's just that non-admin users are not allowed to view all users:<br /><a class="source" href="https://www.redmine.org/projects/redmine/repository/svn/entry/tags/2.3.2/app/controllers/users_controller.rb#L68">source:/tags/2.3.2/app/controllers/users_controller.rb#L68</a></p>
<p>Maybe a 403 would be more appropriate.</p>
</blockquote>
<p>I suggest that when the user is active, should return a 403 response instead.<br />If the user is not active, still return 404</p> Redmine - Feature #14601: Improve returned HTTP status code for requests for account/showhttps://www.redmine.org/issues/14601?journal_id=512192013-08-14T02:09:52ZMischa The Evil
<ul><li><strong>Tracker</strong> changed from <i>Defect</i> to <i>Feature</i></li><li><strong>Subject</strong> changed from <i>Seemingly deleted users still appear as watcher-candidates and actual watchers</i> to <i>Improve returned HTTP status code for requests for account/show</i></li><li><strong>Category</strong> changed from <i>Website (redmine.org)</i> to <i>Accounts / authentication</i></li><li><strong>Assignee</strong> deleted (<del><i>Jean-Philippe Lang</i></del>)</li></ul><p>Jean-Philippe Lang wrote:</p>
<blockquote>
<p>Actually this user is absolutely not deleted. It's just that non-admin users are not allowed to view all users:<br /><a class="source" href="https://www.redmine.org/projects/redmine/repository/svn/entry/tags/2.3.2/app/controllers/users_controller.rb#L68">source:/tags/2.3.2/app/controllers/users_controller.rb#L68</a></p>
</blockquote>
<p>Thanks for this info! I wasn't aware of these conditions at all and I obviously failed to check the corresponding controller action before posting :-/<br />OT: this new (to me) info sheds a new light on <a class="issue tracker-2 status-5 priority-4 priority-default closed" title="Feature: Prevent users from seeing other users based on their project membership (Closed)" href="https://www.redmine.org/issues/11724">#11724</a>...</p>
<p>William Li wrote:</p>
<blockquote>
<p>Jean-Philippe Lang wrote:</p>
<blockquote>
<p>[...]</p>
<p>Maybe a 403 would be more appropriate.</p>
</blockquote>
<p>I suggest that when the user is active, should return a 403 response instead.<br />If the user is not active, still return 404</p>
</blockquote>
<p>I tend to agree with William on this but I am not sure whether or not a 404 is the best option when a user is locked (in contrast to a user who is registered but no activated).</p> Redmine - Feature #14601: Improve returned HTTP status code for requests for account/showhttps://www.redmine.org/issues/14601?journal_id=593062014-10-23T01:46:17ZMischa The Evil
<ul><li><strong>Related to</strong> <i><a class="issue tracker-3 status-5 priority-4 priority-default closed" href="/issues/18128">Patch #18128</a>: Make User profile 404 rendering more consistent (and speed up Users#show API)</i> added</li></ul>