Same messages for not found and access denied

To prevent information leaks, show a more generic message to users if they have no permissions to a resource does not exist and they have no access to fixes #1728
moinwiki · Nov 27, 2024 · c9ecc24 · c9ecc24
1 parent 2213072
commit c9ecc24
Show file tree

Hide file tree

Showing 8 changed files with 1,792 additions and 1,574 deletions.
diff --git a/src/moin/apps/frontend/views.py b/src/moin/apps/frontend/views.py
@@ -1097,7 +1097,11 @@ def ajaxdestroy(item_name, req="destroy"):
             if isinstance(item, NonExistent):
                 # we should not try to destroy a nonexistent item,
                 # user probably checked a subitem and checked do subitems
-                response["messages"].append(_("Item '{bad_name}' does not exist.").format(bad_name=item.name))
+                response["messages"].append(
+                    _("Item '{bad_name}' does not exist or you do not have permission to access it.").format(
+                        bad_name=item.name
+                    )
+                )
                 continue
             subitem_names = []
             if req == "destroy":

diff --git a/src/moin/templates/404.html b/src/moin/templates/404.html
@@ -13,7 +13,7 @@ <h1> {{ _("Not Found") }}</h1>
     <div class="error">
         <p>
             <strong>
-                {{ _("The item '{item_name}' does not exist.").format(item_name=item_name) }}
+                {{ _("The item '{item_name}' does not exist or you do not have permission to access it.").format(item_name=item_name) }}
             </strong>
         </p>
         {% if path %}

diff --git a/src/moin/templates/show_nonexistent.html b/src/moin/templates/show_nonexistent.html
@@ -1,7 +1,7 @@
 {% extends theme("layout.html") %}
 {% block content %}
-    <h1>{{ _("Item not found") }}</h1>
+    <h1>{{ _("Item not found or access denied") }}</h1>
     <p>
-        {{ _("Item '{name}' does not exist.").format(name=item_name) }}
+        {{ _("Item '{name}' does not exist or you do not have permission to access it.").format(name=item_name) }}
     </p>
 {% endblock %}
diff --git a/src/moin/themes/__init__.py b/src/moin/themes/__init__.py
@@ -73,8 +73,10 @@ def render_template(template, **context):
 def themed_error(e):
     item_name = request.view_args.get("item_name", "")
     if e.code == 403:
-        title = L_("Access Denied")
-        description = L_("You are not allowed to access this resource.")
+        title = L_("Item not found or access denied")
+        description = L_("Item '{name}' does not exist or you do not have permission to access it.").format(
+            name=item_name
+        )
         if e.description.startswith(" "):
             # leading blank indicates supplemental info, not standard werkzeug message
             description += e.description