[ckan-discuss] Why is the bibbase package deleted?

Ted Thibodeau Jr tthibodeau at openlinksw.com
Tue Sep 28 15:14:18 BST 2010

On Sep 26, 2010, at 06:09 AM, Richard Cyganiak wrote:
> On 26 Sep 2010, at 09:39, Rufus Pollock wrote:
>>>> This is a known 'feature'. The logic is that someone with
>>>> higher privileges (e.g. sysadmin) could look at this package.
>>>> There has already been suggestion that from user perspective
>>>> a 404 would make more sense.
>>> It appears that the web front-end was implemented using the
>>> same logic: When I go to http://ckan.net/package/bibbase, then
>>> it redirects me to my user page (I am already logged in). I
>>> suppose the idea is that a user might possibly have another
>>> set of credentials with different permissions?
>> I agree that if you are already logged in redirecting you isn't
>> useful. But what about if you aren't logged in? Should you get
>> a 404 (since package deleted) or redirected to login page as
>> you may have permission to edit?
> If someone tries to access a deleted package and is not logged
> in, there are three possible scenarios:

I think a package should not be referred to as "deleted" unless the
record has been dropped.  "Hidden" is a more appropriate label for
this "restricted access" status.

> - He or she has credentials with the necessary permissions, so they
>   could view the package after logging in
> - He or she has credentials, but without the necessary permissions,
>   so after logging in they still couldn't access the package
> - He or she has no CKAN credentials at all, so can't/won't log in
> Forwarding to the login page is the right thing in the first scenario,
> but confusing or unhelpful in the second and third. The second and
> third are more likely to occur, because for any given package, users
> without admin rights by far outnumber uses with admin rights.
> So I'd recommend the 404 response regardless of whether the agent is
> logged in.

404 Not Found doesn't make sense to me when the issue really is an 
authentication error -- the requested resource *is* found, the user 
is just not allowed to see it.

I think 401 Unauthorized is more appropriate in all these cases 
because Authentication, perhaps as a different user, *could* reveal 
the package to the requester.  

Also note that the 401 or other code need not travel alone -- there 
can be an informative message along with it, as a "401 page" or 
otherwise -- and this could relieve the confusion Richard suggests.

Be seeing you,


A: Yes.                      http://www.guckes.net/faq/attribution.html
| Q: Are you sure?
| | A: Because it reverses the logical flow of conversation.
| | | Q: Why is top posting frowned upon?

Ted Thibodeau, Jr.           //               voice +1-781-273-0900 x32
Evangelism & Support         //        mailto:tthibodeau at openlinksw.com
                             //              http://twitter.com/TallTed
OpenLink Software, Inc.      //              http://www.openlinksw.com/
        10 Burlington Mall Road, Suite 265, Burlington MA 01803
OpenLink Blogs              http://www.openlinksw.com/weblogs/virtuoso/
    Universal Data Access and Virtual Database Technology Providers

More information about the ckan-discuss mailing list