I think this is a great idea. For many kinds of forums identifying that something is there is not a security hole and would really improve accessibility.
The challenge here is really naming the site setting properly and explaining what it does. I’ve done my best below but would not be against edits.
Here’s a mini spec:
-
Add a new site setting
detailed_404, defaultfalse. “Provides more details to users about why they can’t access a particular topic. NOTE: This is less secure because users will know if a URL has a valid topic or not.” -
When enabled, In the topic controller, if the guardian check fails, return a JSON object with details about why it failed.
-
In the front end application use these details to display an appropriate error message:
-
If anonymous: “Sorry, you’ll need to log in to see that topic”
-
If logged in:
-
If the topic is restricted to one group (excluding staff groups): “This topic is restricted to GROUP_NAME.” and include the Request Access button.
-
If the topic is restricted to many groups display a generic message: “You don’t have access to this topic. Please reach out to whomever provided you with the link to request access.”
-
-