Feature #14601
open
Improve returned HTTP status code for requests for account/show
0%
Description
I noticed this behavior while reviewing #6688.
User Miriam Blumenstein (id: 43592) is watching the issue. Clicking through to account/show leads to a 404 - The page you were trying to access doesn't exist or has been removed., which lets me think the user has been deleted. Nonetheless is the user still (rendered as) a watcher of the issue and still proposed as a watcher of objects (in 'search for watchers' dialog).
I tried to reproduce this on m.redmine.org but was not successful.
Related issues
Updated by Jean-Philippe Lang over 11 years ago
Actually this user is absolutely not deleted. It's just that non-admin users are not allowed to view all users:
source:/tags/2.3.2/app/controllers/users_controller.rb#L68
Maybe a 403 would be more appropriate.
Updated by William Li over 11 years ago
Jean-Philippe Lang wrote:
Actually this user is absolutely not deleted. It's just that non-admin users are not allowed to view all users:
source:/tags/2.3.2/app/controllers/users_controller.rb#L68Maybe a 403 would be more appropriate.
I suggest that when the user is active, should return a 403 response instead.
If the user is not active, still return 404
Updated by Mischa The Evil over 11 years ago
- Tracker changed from Defect to Feature
- Subject changed from Seemingly deleted users still appear as watcher-candidates and actual watchers to Improve returned HTTP status code for requests for account/show
- Category changed from Website (redmine.org) to Accounts / authentication
- Assignee deleted (
Jean-Philippe Lang)
Jean-Philippe Lang wrote:
Actually this user is absolutely not deleted. It's just that non-admin users are not allowed to view all users:
source:/tags/2.3.2/app/controllers/users_controller.rb#L68
Thanks for this info! I wasn't aware of these conditions at all and I obviously failed to check the corresponding controller action before posting :-/
OT: this new (to me) info sheds a new light on #11724...
William Li wrote:
Jean-Philippe Lang wrote:
[...]
Maybe a 403 would be more appropriate.
I suggest that when the user is active, should return a 403 response instead.
If the user is not active, still return 404
I tend to agree with William on this but I am not sure whether or not a 404 is the best option when a user is locked (in contrast to a user who is registered but no activated).
Updated by Mischa The Evil about 10 years ago
- Related to Patch #18128: Make User profile 404 rendering more consistent (and speed up Users#show API) added