govuk-design-system-backlog icon indicating copy to clipboard operation
govuk-design-system-backlog copied to clipboard

Published 20 hours ago verified publisher icon alphagov

Access denied pattern

Open mtallamy opened this issue 7 years ago • 9 comments

What

Pattern for Access Denied resource page, responding to an HTTP 403

Why

For authenticated sites, particularly for users with different roles/claims, they need to indicate where access to a resource has been forbidden.

Anything else

This is likely to take a similar format to the existing resource not found (404) pattern.

mtallamy avatar Sep 11 '18 09:09 mtallamy

@mtallamy The default one for HMRC is almost identical to the 404. We tried to keep it general rather than too technical.

<h1>You do not have permission to access this service</h1> <p><a href=“mailto:emailaddress”>Email emailaddress</a> if you think you do have permission to access this service.</p>

stevenaproctor avatar Sep 11 '18 10:09 stevenaproctor

Thanks for this @stevenaproctor. I agree that should be non-technical and very close to the 404, which is what we've implemented as a starter for 10 (adapting the 404 pattern). I also agree there should be contact details if the user thinks they should have access.

The example you give appears to assume that a user doesn't have access to the entire service, which in our case at least might not be the case. I'd prefer to see the message relate to a specific resource, rather than the entire service.

From a security perspective, and this moves away from my request for a specific 403 page, I wonder if there should be any differentiation between a 403 and a 404, i.e. should we indicate to a (potentially malicious) user that a resource does exist, even though they don't have access to it. Be interested on opinions on this.

mtallamy avatar Sep 11 '18 14:09 mtallamy

@mtallamy Good point about being able to access the service versus the resource. We use "service" because that is the more common case but there would definitely be times when people could not get into specific resources or journeys. But, in our case, this would be handled, generally, without getting a https error.

Our page is almost identical to our 404 but we felt saying 'Page not found' was not the best user experience.

stevenaproctor avatar Sep 12 '18 07:09 stevenaproctor

Myself and other DfE content designers have created You do not have access pages for internal services. I think a pattern that gives guidance to Civil Service on whether and how to create You do not have access pages would be very useful 🙂

image

You do not have permission to perform this action

You do not have access

image

image (2)

image (1)

adyhoran1 avatar May 20 '22 09:05 adyhoran1

Example from the Home Office used for 401 and 403 errors.

Screenshot 2022-05-20 at 16 56 11

Huskyteer avatar May 20 '22 15:05 Huskyteer

Quick question - do we feel like this idea is covered by the There is a problem with the service pages?

Ciandelle avatar Jul 08 '22 09:07 Ciandelle

Quick question - do we feel like this idea is covered by the There is a problem with the service pages?

@Ciandelle they're similar / related, but it's a different content need.

edwardhorsford avatar Jul 08 '22 09:07 edwardhorsford

@Ciandelle I do think there could possibly be a single section on error pages with a bunch of different examples - you don't necessarily need a 'pattern' on each...

edwardhorsford avatar Jul 08 '22 09:07 edwardhorsford

@Ciandelle I do think there could possibly be a single section on error pages with a bunch of different examples - you don't necessarily need a 'pattern' on each...

agreed, sounds good!

mtallamy avatar Jul 11 '22 07:07 mtallamy