As discussed here, XF should use different status codes when something is view restricted, especially on the board url / homepage because these are landing pages.
Reason for this is that landing pages are public and meant to ask for credentials.
What a 403 does on these pages is it limits spiders and external third party applications because a 403 signals "nothing to do here, closed". That's not true, because the landing pages are open, after all, you can log in on those pages without any restriction from XF. That's what they are designed for. See facebook.com, twitter.com, etc. Or your admin control panel login.
Current behaviour: View restrictions always throws a 403.
Proposed behaviour:
Reason for this is that landing pages are public and meant to ask for credentials.
What a 403 does on these pages is it limits spiders and external third party applications because a 403 signals "nothing to do here, closed". That's not true, because the landing pages are open, after all, you can log in on those pages without any restriction from XF. That's what they are designed for. See facebook.com, twitter.com, etc. Or your admin control panel login.
Current behaviour: View restrictions always throws a 403.
Proposed behaviour:
- Guest (includes spiders)
- On landing page(s): 200 + login page
- Landing on any other route & first visit: 30x + redirect to login page
- Landing on any other route & not first visit: same as 2. or 403 + login page
- Visitor (logged in user)
- No changes.
Upvote
2