Missing Pages on private and mixed security wikis
I'm trying to setup a private wiki accessable only to a group I trust. The ACLs make this relatively easy, except that missing pages and unauthorized pages return different errors. I would like authorized users to get "access denied" message when they attempt to access any page, whether or not it exists.
Another use case are "wiki-as-CMS" folk: where a small handful of users are allowed to create and edit content, but the public may only read it. Here, returning 404 errors on missing pages is desired, but they shouldn't invite people to create the page (as AlternateMissingPage and MissingPageForNotAuthorized noted, it's a usability issue). On the other hand, the site owners may wish to "cloak" draft pages from the public until they are ready: this could mean returning 404 on a page that does exist.
Possible Solutions
Have a "preferred error" option, which could be either "none", "404" or "403".
if (page exists):
if (user.may.read(page)):
send(page)
else:
send 403 if "preferred error" isn't set.
else:
if (user.may.read(any page without additional acls)):
if (user.may.write(page)):
send(404, invitation to create page)
else:
send(404, invitation to login, report problem or view sitemap)
else:
send(403, invitation to login)
(user.may.read(page)) enclosing brackets not needed inde4nting problem
If the user may write the page anonymously how does the invitation look like? Because if there is not any user account for the wiki needed how do we avoid annoying?