attempting to authorize a disabled page should not redirect
e.g. when "public profiles" are "disabled" (through new section configuration toggles), attempting to access the disabled pages should not redirect to an "unauthorized" page. Instead, a non-OK http code should be returned so that the address of the page to which I'm not authorized remains in the address bar.
Updated by Phil Hodgson about 8 years ago
On consideration, I would propose one of the following two solutions:
- Official HTTP behaviour: the URL stays intact, a 403 status code is sent back along with a brief bit of text. I would make the text different depending on the circumstance, either "You are not authorized to see this resource" or "This resource has been disabled", depending
- I try to make a better 403 page that has full user navigation available and so on, but the content of the page is an appropriate 403 message (again, either "You are not authorized to see this resource" or "This resource has been disabled", depending), along with a display of the URL that was requested.
There may be another compromise, and I'm open to suggestions.
One thing's for certain, and that is there are only two circumstances when this would happen:
- There is a bug in Tapestry in the form of a link or redirection that was overlooked during my "sectioning off" of Tapestry
- The user is really trying to do something they oughtn't to be doing
I.e. we can conceivably make an argument that the solution does not have to be "pretty" because it should never happen if everything is working properly.