<html><head><meta http-equiv="Content-Type" content="text/html charset=iso-8859-1"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><br><div><div>On Oct 6, 2014, at 12:35 PM, Eddie Sheffield <<a href="mailto:eddie.sheffield@rackspace.com">eddie.sheffield@rackspace.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div ocsi="0" fpstyle="1" style="font-family: Menlo-Regular; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;"><div style="direction: ltr; font-family: Tahoma; font-size: 12pt;">I encountered an interesting situation with Glance policies. Basically we have a situation where users in certain roles are not allowed to make certain calls at all. In this specific case, we don't want users in those roles listing or viewing members. When listing members, these users receive a 403 (Forbidden) but when showing an individual member the users receive 404 (Not Found).<br><br>So the problem is that there are a couple of situations here and we don't (can't?) distinguish the exact intent:<br><br>1) A user IS allowed to make the call but isn't allowed to see a particular member - in that case 404 makes sense because a 403 could imply the user actually is there, you just can't look see them directly.<br><br>2) A user IS NOT allowed to make the call at all. In this case a 403 makes more sense because the user is forbidden at the call level.<br><br>At this point I'm mainly trying to spark some conversation on this. This feels a bit inconsistent if users get 403 for a whole set of calls they are barred from but 404 for others which are "sub" calls of the others (e.g. listing members vs. showing a specific one.) But I don't have a specific proposals at this time - first I'm trying to find out if others feel this is a problem which should be addressed. If so I'm willing to work on a blueprint and implementation<br></div></div></blockquote><br></div><div>Generally you use a 404 to make sure no information is exposed about whether the user actually exists, but in the case of 2) I agree that a 403 is appropriate. It may be that 404 was used there because the same code path is taken in both cases.</div><div><br></div><div>Vish</div><br></body></html>