I needed to update the settings for a PCI Compliance scan for one of our websites. The IP Address of the website had changed, as we had moved servers. To do this I logged into Trustwave's TrustKepper.
I could not change the scan location (IP Address), I could only add and remove. So that I could still see the old settings, I decided to add the new domain/IP Address combination first.
Trying to add failed (see comic error's below). The domain name I was trying to add already existed, it was the same, so that was not allowed.
So I thought I would Remove first... This time, I was asked why I wanted to remove the domain. The options where:
None of these are true. I had already tried the add described in the third option, but it was not accepted. I selected the third option, just to get through, and clicked "delete", which resulted in another comic error. Fortunately, it did not check to see if I had already added the new location - if it had, I'd have been really stuck. Thanks Trustwave!
When dealing with the settings, Trustwave use modal pop overs. You know the ones, the website is greyed over, and a small box appears over that. For this classic piece of design though, a decission was made to ensure the error messages were shown on the main page - yes, that's right - behind the grey over-tint. Genius, absolute genius, I'm glad these are the people lokking after my security!
When building code to allow someone to make changes, you need to think really depply about what they can and cannot do. Also ensure that the options they have actually make sense in the real world, and that they can actually do what you tell them.
Errors need to be handled in a sensible way, and need to be not just visible, but obvious...!