diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-10-05 03:08:11 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-10-05 03:08:11 +0300 |
commit | 59429d48eb1cf7032cf12363b83a045743f02a1e (patch) | |
tree | e4281f1f60bc0f71d315c1eb1bcacd57b9b72590 /doc/development/secure_coding_guidelines.md | |
parent | 484a245a95e97ae97f558a3d242f599853eb6d3c (diff) |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'doc/development/secure_coding_guidelines.md')
-rw-r--r-- | doc/development/secure_coding_guidelines.md | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/doc/development/secure_coding_guidelines.md b/doc/development/secure_coding_guidelines.md index c9cd7161354..700de9e6b6e 100644 --- a/doc/development/secure_coding_guidelines.md +++ b/doc/development/secure_coding_guidelines.md @@ -53,6 +53,10 @@ Each time you implement a new feature/endpoint, whether it is at UI, API or Grap Be careful to **also test [visibility levels](https://gitlab.com/gitlab-org/gitlab-foss/-/blob/master/doc/development/permissions.md#feature-specific-permissions)** and not only project access rights. +The HTTP status code returned when an authorization check fails should generally be `404 Not Found` in order to avoid revealing information +about whether or not the requested resource exists. `403 Forbidden` may be appropriate if you need to display a specific message to the user +about why they cannot access the resource. If you are displaying a generic message such as "access denied", consider returning `404 Not Found` instead. + Some example of well implemented access controls and tests: 1. [example1](https://dev.gitlab.org/gitlab/gitlab-ee/-/merge_requests/710/diffs?diff_id=13750#af40ef0eaae3c1e018809e1d88086e32bccaca40_43_43) |