Add the ability to set custom messages on the 404 page #855

New Issue

OVERLORD · 2026-02-04T22:30:00+03:00

OVERLORD commented

2026-02-04 22:30:00 +03:00

Originally created by @mackcoding on GitHub (Oct 10, 2018).

Hello,

When a user is not logged into Bookstack they get a "Sorry, The page you were looking for could not be found." message. However, the page does exist but they are not logged in - this is not helpful and is confusing.

Two things I would like to submit as an idea:

Instead of the page not found, display a message telling the user the page requires login to view
1A) If the user is already logged in, tell them they do not have permission (I'm not sure if this happens, tbh)
When on the "page not found" (or any page) and I click login, it takes me to the login page. However, after I login I am sent back to the main page. It would be nice to implement return url.

Whoops, sorry, didn't see issue #1054! Not sure that it is a bug but hopefully the issue can be resolved. Thanks!

Originally created by @mackcoding on GitHub (Oct 10, 2018). Hello, When a user is not logged into Bookstack they get a "Sorry, The page you were looking for could not be found." message. However, the page does exist but they are not logged in - this is not helpful and is confusing. Two things I would like to submit as an idea: 1) Instead of the page not found, display a message telling the user the page requires login to view 1A) If the user is already logged in, tell them they do not have permission (I'm not sure if this happens, tbh) 2) When on the "page not found" (or any page) and I click login, it takes me to the login page. However, after I login I am sent back to the main page. It would be nice to implement return url. Whoops, sorry, didn't see issue #1054! Not sure that it is a bug but hopefully the issue can be resolved. Thanks!

OVERLORD added the 💆 UX 🖌️ View Customization labels 2026-02-04 22:30:00 +03:00

OVERLORD closed this issue

2026-02-04 22:30:03 +03:00

OVERLORD commented

2026-02-04 22:30:20 +03:00

@thomasjsn commented on GitHub (Oct 11, 2018):

I prefer the current implementation; I see no need for the user to know that I have super secret stuff there.

@thomasjsn commented on GitHub (Oct 11, 2018): I prefer the current implementation; I see no need for the user to know that I have super secret stuff there.

OVERLORD commented

2026-02-04 22:31:12 +03:00

@mackcoding commented on GitHub (Oct 11, 2018):

I prefer the current implementation; I see no need for the user to know that I have super secret stuff there.

Thank you for your input but that statement makes no sense. If the user doesn't have access to the page to begin with, they won't know it exists to even hit the url. If you don't want people to know it exists, don't send out the direct link.

We are sending out links across an environment with over 30,000+ users and we are getting a lot of complaints/confused people because the page incorrectly says it was not found when they were not logged in. Some of the content is used for different departments that shouldn't be shared with others.

I stand by my request to either (1) allow customization of the message, or (2) display the correct page "You are not allowed to view this page - please login"

@mackcoding commented on GitHub (Oct 11, 2018): > I prefer the current implementation; I see no need for the user to know that I have super secret stuff there. Thank you for your input but that statement makes no sense. If the user doesn't have access to the page to begin with, they won't know it exists to even hit the url. If you don't want people to know it exists, don't send out the direct link. We are sending out links across an environment with over 30,000+ users and we are getting a lot of complaints/confused people because the page incorrectly says it was not found when they were not logged in. Some of the content is used for different departments that shouldn't be shared with others. I stand by my request to either (1) allow customization of the message, or (2) display the correct page "You are not allowed to view this page - please login"

OVERLORD commented

2026-02-04 22:32:15 +03:00

@thomasjsn commented on GitHub (Oct 11, 2018):

Of course it makes sense, URLs can be guessed and by returning a 403 or redirecting to the login page the application is confirming that the resource do exist. But of course there are plenty of scenarios where redirecting to the login page is a much more sensible thing to do; like your case.

If you are planning to make a pull-request for it; I'd like it to be configurable, that's all. I don't think that makes me unreasonable :)

@thomasjsn commented on GitHub (Oct 11, 2018): Of course it makes sense, URLs can be guessed and by returning a 403 or redirecting to the login page the application is confirming that the resource do exist. But of course there are plenty of scenarios where redirecting to the login page is a much more sensible thing to do; like your case. If you are planning to make a pull-request for it; I'd like it to be configurable, that's all. I don't think that makes me unreasonable :)

OVERLORD commented

2026-02-04 22:32:49 +03:00

@ssddanbrown commented on GitHub (Oct 11, 2018):

Thanks for opening this request @mackcoding.

I do agree with @thomasjsn's ideas on this. Providing more detailed messaging could lead to URL sniffing which is why the current behaviour is as it is, to be secure by default by pretending the content does not exist.

Advising that the user needs to log in to view is actually quite complex and maybe misguiding since we won't be able to ensure their user could see the content if they did log-in. If this was to be implemented it would need to be an option as I'd like to keep the current secure-by-default behaviour.

Your second request, to redirect to the intended url, is actually in BookStack but only if public viewing is disabled since otherwise the intended url can becoming irrelevant depending on navigation path.

To be honest, For the above use-case, it sounds like a custom message on the 404 page would do the job.

@ssddanbrown commented on GitHub (Oct 11, 2018): Thanks for opening this request @mackcoding. I do agree with @thomasjsn's ideas on this. Providing more detailed messaging could lead to URL sniffing which is why the current behaviour is as it is, to be secure by default by pretending the content does not exist. Advising that the user needs to log in to view is actually quite complex and maybe misguiding since we won't be able to ensure their user could see the content if they did log-in. If this was to be implemented it would need to be an option as I'd like to keep the current secure-by-default behaviour. Your second request, to redirect to the intended url, is actually in BookStack but only if public viewing is disabled since otherwise the intended url can becoming irrelevant depending on navigation path. To be honest, For the above use-case, it sounds like a custom message on the 404 page would do the job.

OVERLORD commented

2026-02-04 22:33:18 +03:00

@mackcoding commented on GitHub (Oct 11, 2018):

Makes sense on the intended url. I feel there a lot of ways to implement this but I think to solve both my issue and @thomasjsn issue the best solution is to implement custom messages. Sadly my users are not to tech savvy ;)

@mackcoding commented on GitHub (Oct 11, 2018): Makes sense on the intended url. I feel there a lot of ways to implement this but I think to solve both my issue and @thomasjsn issue the best solution is to implement custom messages. Sadly my users are not to tech savvy ;)

OVERLORD commented

2026-02-04 22:34:15 +03:00

@thomasjsn commented on GitHub (Oct 12, 2018):

"This page may, or may not exist. Log in to find out!" :)

@thomasjsn commented on GitHub (Oct 12, 2018): "This page may, or may not exist. Log in to find out!" :)

OVERLORD commented

2026-02-04 22:35:23 +03:00

@ezzra commented on GitHub (Dec 11, 2018):

"This page may, or may not exist. Log in to find out!" :)

I would prefer something like that, its the usual message on platforms with such a structure and login system. But that would need to be updated in all language files....

@ezzra commented on GitHub (Dec 11, 2018): > "This page may, or may not exist. Log in to find out!" :) I would prefer something like that, its the usual message on platforms with such a structure and login system. But that would need to be updated in all language files....

OVERLORD commented

2026-02-04 22:36:04 +03:00

@ssddanbrown commented on GitHub (Jun 13, 2021):

Custom error messaging on the 404 page is now possible using the theme system. In the latest release, BookStack v21.05.2 I've made extracted out the core text to it's own view for easier overriding. See here for a quick guide on using the theme system to override: https://github.com/BookStackApp/BookStack/issues/2796#issuecomment-860215194

In addition, I believe at somepoint after this issue was opened we updated the 404 text to give a little push to the user by showing an extra obvious login button and a "If you expected this page to exist, you might not have permission to view it." message but that may not be enough for all environments.

Since the core request is now possible I'll close this off.

@ssddanbrown commented on GitHub (Jun 13, 2021): Custom error messaging on the 404 page is now possible using the theme system. In the latest release, BookStack v21.05.2 I've made extracted out the core text to it's own view for easier overriding. See here for a quick guide on using the theme system to override: https://github.com/BookStackApp/BookStack/issues/2796#issuecomment-860215194 In addition, I believe at somepoint after this issue was opened we updated the 404 text to give a little push to the user by showing an extra obvious login button and a "If you expected this page to exist, you might not have permission to view it." message but that may not be enough for all environments. Since the core request is now possible I'll close this off.

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#855