When a user has not logged into the site and attempts to use a link to a piece of content that exists, but requires permissions to view, the page that is displayed is a 404 Page not found.

Page not found
The requested page "/?q=node/734" could not be found.

I believe the correct behavior is for a 403 Access Denied.

Is this due to my own error in installing/configuring the module? Or is this a bug with the module.

I am using Drupal 7.12
Taxonomy Access Control 7.x-1.0-rc1 but I also tested with 7.x-1.0-dev and the problem persisted
MySQL
and another Access Control module I am using is Menu per Role

Comments

joevansteen’s picture

joevansteen CreditAttribution: joevansteen commented

From the RFC for 403:

"The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead."

From a general security perspective I always prefer to tell people that things they are not authorized to know about do not exist. Saying that it is there, but you can't see it just invites trouble. This is especially true with anonymous users.

My 2 cents.

troybthompson’s picture

troybthompson CreditAttribution: troybthompson commented
Issue summary: View changes

I ran into this same problem. I understand the security concern, but from a user interface standpoint, many times people bookmark a page they use often that may be protected. I use modules that present a login form when access is denied, so if they get logged out, they can just enter their username/password and continue. With a 404, they have to know that they have the right url and the error isn't real, then find the login link or type in the /user url if it's not a public user focused site, and then use their bookmark again. For non-technical people, that's a lot of hassle.