Description
Description
This is a continuation of #16026 I thought carsonbot would re-open but it's been a week and nothing has happened, so I'm opening this.
In summary, I would like to have better control of what happens when a user who is authenticated with "remember me" is denied access. As a general rule, I expect that a user authenticated via remember me should have the same experience as a fully authenticated user, so if they are denied access to something, the response should be a 403 Forbidden. But currently, the response is a redirect to login. This is not a good experience for the user, who still won't get access even after being fully authenticated. The only exception to this is when I want to protect a sensitive part of the website (e.g. changing password) and it requires IS_AUTHENTICATED_FULLY. Any other access check should result in a 403 Forbidden, even for "remember me" users.
In fact, I don't think that redirecting "remember" me users to the login page in order to become fully authenticated is ideal, and I think this would be a good opportunity to improve the process. Being redirected to the login page makes it appear as though they aren't signed in at all. From the user's point of view, it's hard to tell whether their session has expired, or if they are simply being prompted to fully authenticate. What I would prefer is if the user sees a different page that says "you are accessing a sensitive area, please verify your password" or something along those lines. That makes it clear that they are still logged in, but they just need to provide their password (not username, because they're already signed in). Of course, I can implement this myself now by adding checks to the login page and displaying different content to anonymous users vs users authenticated with "remember me", but to me this is standard behaviour that I would add to every single project I work on, and so I feel it's worth building in to the framework. So just like we have a special case for "login" and "logout", I think it's worth having a special route for "upgrade" as well. In case you don't need different content, then you could simply configure the "upgrade" route to be the same as your "login" route.
The current behaviour also makes it difficult to write javascript that handles dynamic content. If I'm loading dynamic content with an AJAX request and the request gets redirected to the login page, it's hard to determine whether this was due to a session timeout or access denied. But if there was a different route for login vs upgrade, that would make it possible to write javascript that can distinguish these cases, and display an appropriate error message.
So finally, this is what I propose:
- if an anonymous user gets access denied, redirect to login
- if an authenticated user gets access denied (whether fully authenticated or "remember me") then show 403 Forbidden
- in the special case where full authentication is required but a user only has "remember me", then redirect to the "upgrade" route
This would align closer with what I (and I assume most developers) expect should happen by default, it improves the user experience, and makes it easier to write javascript for dynamic content.
Thanks
Example
No response