1 changed files with 15 additions and 0 deletions
@ -0,0 +1,15 @@ |
|||||||
|
### ADR - 012: Controller HTTP return statuses |
||||||
|
|
||||||
|
Controllers assess authentication by 3 criteria: |
||||||
|
|
||||||
|
1. Are you signed in at all? |
||||||
|
2. Are you signed in and requesting an action that your role/user type has access to? |
||||||
|
3. Are you signed in, requesting an action that your role/user type has access to and requesting a resource that your user has access to. |
||||||
|
|
||||||
|
When these aren't met the fail with the following response types: |
||||||
|
|
||||||
|
1. 401: Unauthorized. Redirect to sign-in page. |
||||||
|
2. 401: Unauthorized |
||||||
|
3. 404: Not found. |
||||||
|
|
||||||
|
This helps make it harder to determine whether a resource exists or not just by enumerating ids. |
||||||
Loading…
Reference in new issue