TLDR: Currently, errors 404, 403 or 407 are sent with a moodle_exception. However, the status code is not chosen depending on the error, but rather the client. Unfortunately, 404 errors can lead to IP bans on shared hosting plans, so they should not be used excessively.
While working on MDL-67198 I came across the following issue, that I would like to discuss. (I am new to Moodle Dev, so please correct me, if I got something wrong.)
Whenever a moodle_exception
is thrown, the function core_renderer::fatal_error
is called. This function will then cause the web server to respond with error status 404, 403 or 407. Which code is chose seems to depend solely on the question whether $_SERVER['HTTP_RANGE']
is empty or whether a certain version of Safari on iOS is used. IMHO it would make more sense to choose the response code according to the error rather than the client.
Also, using 404 as an error code can be considered wrong in certain cases, and borderline in other situations. For example, if one tries to access /course/view.php?id=XXX
with an invalid ID, one might argue that 404 is a correct reponse, because the requested course could not be found. (This is in line with RFC 2616 which says that 404 is to be sent when the server "has not found anything matching the Request-URI", and the query string is part of the request URI.) One could also argue that 404 is wrong in the sense that view.php was found and executed, so the error actually only happened at the application level. Thus, the server itself should not send back an error code.) However, if one accesses /course/view.php
with no parameters at all, the request URI is valid and the resource is found. In this case, a 404 error is IMHO clearly wrong w.r.t. RFC 2616.
As an aside, 404 errors can trigger nasty IP bans on shared hosting plans, because they might indicate that someone is probing the server.
OTOH, some errors really should lead to a 404 response, e.g. when adding an LTI component, the external server will issue a REST call to Moodle to check whether the same component is already installed. If it is not, 404 is the right thing to send.
So, I would like to know what the more experienced developers think about the idea that the status code should be chosen depending on the actual error?