New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Access denied pattern #158
Comments
@mtallamy The default one for HMRC is almost identical to the 404. We tried to keep it general rather than too technical.
|
Thanks for this @stevenaproctor. I agree that should be non-technical and very close to the 404, which is what we've implemented as a starter for 10 (adapting the 404 pattern). I also agree there should be contact details if the user thinks they should have access. The example you give appears to assume that a user doesn't have access to the entire service, which in our case at least might not be the case. I'd prefer to see the message relate to a specific resource, rather than the entire service. From a security perspective, and this moves away from my request for a specific 403 page, I wonder if there should be any differentiation between a 403 and a 404, i.e. should we indicate to a (potentially malicious) user that a resource does exist, even though they don't have access to it. Be interested on opinions on this. |
@mtallamy Good point about being able to access the service versus the resource. We use "service" because that is the more common case but there would definitely be times when people could not get into specific resources or journeys. But, in our case, this would be handled, generally, without getting a https error. Our page is almost identical to our 404 but we felt saying 'Page not found' was not the best user experience. |
Quick question - do we feel like this idea is covered by the There is a problem with the service pages? |
@Ciandelle they're similar / related, but it's a different content need. |
@Ciandelle I do think there could possibly be a single section on error pages with a bunch of different examples - you don't necessarily need a 'pattern' on each... |
agreed, sounds good! |
What
Pattern for Access Denied resource page, responding to an HTTP 403
Why
For authenticated sites, particularly for users with different roles/claims, they need to indicate where access to a resource has been forbidden.
Anything else
This is likely to take a similar format to the existing resource not found (404) pattern.
The text was updated successfully, but these errors were encountered: