alphagov / govuk-design-system-backlog

GOV.UK Design System Community Backlog
31 stars 2 forks source link

Access denied pattern #158

Open mtallamy opened 6 years ago

mtallamy commented 6 years ago

What

Pattern for Access Denied resource page, responding to an HTTP 403

Why

For authenticated sites, particularly for users with different roles/claims, they need to indicate where access to a resource has been forbidden.

Anything else

This is likely to take a similar format to the existing resource not found (404) pattern.

stevenaproctor commented 6 years ago

@mtallamy The default one for HMRC is almost identical to the 404. We tried to keep it general rather than too technical.

<h1>You do not have permission to access this service</h1> <p><a href=“mailto:emailaddress”>Email emailaddress</a> if you think you do have permission to access this service.</p>

mtallamy commented 6 years ago

Thanks for this @stevenaproctor. I agree that should be non-technical and very close to the 404, which is what we've implemented as a starter for 10 (adapting the 404 pattern). I also agree there should be contact details if the user thinks they should have access.

The example you give appears to assume that a user doesn't have access to the entire service, which in our case at least might not be the case. I'd prefer to see the message relate to a specific resource, rather than the entire service.

From a security perspective, and this moves away from my request for a specific 403 page, I wonder if there should be any differentiation between a 403 and a 404, i.e. should we indicate to a (potentially malicious) user that a resource does exist, even though they don't have access to it. Be interested on opinions on this.

stevenaproctor commented 6 years ago

@mtallamy Good point about being able to access the service versus the resource. We use "service" because that is the more common case but there would definitely be times when people could not get into specific resources or journeys. But, in our case, this would be handled, generally, without getting a https error.

Our page is almost identical to our 404 but we felt saying 'Page not found' was not the best user experience.

adyhoran1 commented 2 years ago

Myself and other DfE content designers have created You do not have access pages for internal services. I think a pattern that gives guidance to Civil Service on whether and how to create You do not have access pages would be very useful 🙂

image

You do not have permission to perform this action

You do not have access

image

image (2)

image (1)

Huskyteer commented 2 years ago

Example from the Home Office used for 401 and 403 errors.

Screenshot 2022-05-20 at 16 56 11
Ciandelle commented 2 years ago

Quick question - do we feel like this idea is covered by the There is a problem with the service pages?

edwardhorsford commented 2 years ago

Quick question - do we feel like this idea is covered by the There is a problem with the service pages?

@Ciandelle they're similar / related, but it's a different content need.

edwardhorsford commented 2 years ago

@Ciandelle I do think there could possibly be a single section on error pages with a bunch of different examples - you don't necessarily need a 'pattern' on each...

mtallamy commented 2 years ago

@Ciandelle I do think there could possibly be a single section on error pages with a bunch of different examples - you don't necessarily need a 'pattern' on each...

agreed, sounds good!