mlncn's sandbox: Custom Error Alternate for Authenticated

Update: This module is now a submodule in the 7.x-1.x-dev branch of Custom Error module itself.

No patch needed. No need for this module. Just download the latest https://www.drupal.org/project/customerror and enable the Custom Error Alternate submodule.

Add alternate access denied text for logged-in users... because telling them to log in isn't going to be helpful.

Gives administrators the ability to set an alternate custom error message for 403 access denied response when a user is logged in. That is, the default 403 access denied can encourage people to log in

Requires a three-line patch to Custom Error module.

Custom Error Alternate for Authenticated could be extended to give different messages for different roles without any additional alterations to Custom Error module.

Historical background on why this isn't built into our web sites already

If the web and the HyperText Transfer Protocol had evolved slightly better together in regards to authentication, we'd be using a separte status code like 401 rather than overloading 403.

Jamessocol said it succinctly in a comment here:

401 has a specific meaning within HTTP/1.1, and the spec says a 401 response MUST include a WWW-Authenticate header, and is intended to start HTTP authentication. 403 is less "semantically" correct, though. There's no good status for failed HTTP forms, but a few people seem to be leaning toward something between 420-422 (422 is "Unprocessable Entity" but the WebDAV definition isn't far off: http://tools.ietf.org/html/rfc4918#section-11.2 )

For much more, see also http://foswiki.org/Development/Use401ForCookieAuth or the WordPress issue https://core.trac.wordpress.org/ticket/25446 and Drupal's stated reason for using 403 instead of 401, referenced in http://drupal.stackexchange.com/questions/18348/why-does-drupal-use-403-...