Logged-in only access directs to 404

silverstripe / silverstripe-installer

The installer for Silverstripe CMS and Framework. Check out this repository to start working with Silverstripe!

http://silverstripe.org/

BSD 3-Clause "New" or "Revised" License

165 stars 163 forks source link

Logged-in only access directs to 404 #265

Open brynwhyman opened 4 years ago

brynwhyman commented 4 years ago

Overview

Following the following test scenario:

I can make the site visible only to logged-in users

Steps to recreate

Test definition

Given I go to the Settings administration section
And I click the Access tab
When I change Who can view pages on this site? to Logged-in users
And I save the page
And I log out of the CMS
And I go to the website's frontend, visiting real and fake page slugs (FAIL) 7. Then I should see the login form

Actual result: 7. Website visiter is taken to the default 404 page when visiting a fake page Expected result: 7. Then I should see the login form

Version

4.5.rc-1

Cheddam commented 4 years ago

This could be considered expected behaviour - broadly, if a page exists but the user doesn't have permission to view it, the CMS shouldn't expose its existence by redirecting to a login form, which has been an issue in the past. Perhaps there should be an exception for the root (home) page, though - every site has one, and since it doesn't have a visible slug it wouldn't be exposing any unique information.

robbieaverill commented 4 years ago

I think from the settings tab of the site this should redirect to a login form, you’re essentially saying protect the entire site, for page level settings though perhaps not

Cheddam commented 4 years ago

Right, so if all URLs, valid or not, redirected to the login form this would make sense - but if there is different behaviour between trying to load a real page you don't have access to, and trying to load a non-existent page, that's leaking information (it may seem inconsequential, but there is the risk of competitors trawling potential URLs to identify upcoming product launches for example).

brynwhyman commented 4 years ago

To @Cheddam's point, I've updated the description to make this clear, namely:

And I go to the website's frontend, visiting real and fake page slugs

Actual result: 7. Website visiter is taken to the default 404 page when visiting a fake page

I raised this in this module because I thought the behaviour differed from a cwp-installer site. I've since retested and can't see a difference. Perhaps there's a better place for this issue?

To be clear, my expectation is that no matter whether the page exists or not, the visitor should always be directed to a login form.

robbieaverill commented 4 years ago

I guess that’d be a behaviour change to what’s there now but it makes sense to me. +1