fsr-de / myHPI

Django/Wagtail page serving myhpi.de
https://myhpi.de
12 stars 11 forks source link

Better "Access Denied" Page #520

Open dasGoogle opened 8 months ago

dasGoogle commented 8 months ago

The current "Access Denied" Page is very generic and provides me with a wall of text. As a user, I'd appreciate if it gave me feedback for the specific reason why I cannot see the page I am trying to access.

If this is too complicated, we could at least provide a large orange "Try logging in" Button for users who are not signed in.

For a more complete attempt at fixing the issue, I see the following four cases that should be handled:

The page is only available to logged-in users and I am not logged in: Say that the page is only available to logged-in users and provide a large button that leads through the login process.

The page is available only to users from a group that I am not a member in: Say specifically that it is only available for groups that I am not a member in and ask the person to contact the source of the link they were given. We could of course show which groups would be able to access the link, but I think this leaks too much information.

The page is available to the university network or logged-in users: Say that the page would be available from the university network or that one can try signing in using an HPI account, provide a corresponding button.

The page is only available to university network users: While this would be a pretty weird use case, we can also provide the specific error here.

I do see that this complicates the logic quite a bit and we'd probably have to hardcode some things to differentiate between "normal" groups and the University Network group. I do not see any major security concerns when providing this amount of additional information, but am open for some discussions about the whole topic.

dasGoogle commented 8 months ago

The reason as to why I created this issue: It appears that users who are not familiar with myHPI often report that "Links don't work", which appears to be the case because they are not signed in.

From watching users while using myHPI, when shown an error page, they do not immediately find the current log-in button but rather give up.