Bug #10209
closedAdditional login prompt
0%
Description
When I visit the CAC as a logged-in user, I receive a log-in prompt from bbhosted.cuny.edu. Please see the attached screenshot. I can dismiss the prompt and take actions as usual while still being logged in, but I'm unclear on why I am seeing the prompt
Files
Updated by Boone Gorges about 6 years ago
This happened because someone embedded an image into a blog post, and the image required HTTP authentication, and the post was syndicated to the activity stream on the front end. It's now disappeared from the scroll on the front page, so it's not an immediate issue.
I'm not sure how to protect against this in the future. Some ideas - Ray, let me know if you have more.
1. Strip images in front-page activity stream based on a domain blacklist. Advantages: Unlikely to have side effects. Disadvantages: Images may be unavailable based on things other than domain (HTTP auth for specific URLs, 404s, access control other than HTTP auth)
2. Strip all images in front-page activity stream. Advantages: Eliminates the problem. Disadvantages: Way too broad, makes the content on the home page less engaging.
3. Strip images in front-page activity stream if they're pulled from a domain other than the URL of the source site. Advantages: Strikes a balance between the breadth of the two strategies above. Disadvantages: Still susceptible to 404s; potentially strips valuable content from legitimate third-party sources.
Updated by Raymond Hoh about 6 years ago
I'd go with option 1, the blacklist option.
There are not many people that would link to HTTP-auth resources, so in this case we would just remove images from the activity stream matching the bbhosted.cuny.edu domain.
I guess a more, broad approach would be to check image links before saving them into the wp_bp_activity
database table. Downsides are the usage of wp_remote_head()
and checking a post with a ton of images.
Updated by Boone Gorges about 6 years ago
- Assignee changed from Boone Gorges to Raymond Hoh
- Target version set to 1.13.8
Yeah, I think you're right about using the blacklist. This is obviously a very uncommon issue. (Your suggestion of checking external resources at the time of activity recording is good, but it wouldn't even be foolproof, since the availability of an asset might change between the time of recording and the time of rendering.)
Would you mind writing a filter that strips images from the activity stream when they come from a domain blacklist (which can be defined inline IMO)?
Updated by Raymond Hoh about 6 years ago
- Category name set to BuddyPress (misc)
- Status changed from Assigned to Resolved
See https://github.com/cuny-academic-commons/cac/commit/8f3f2b6486f8195bedf56b0c6a74476e5ecd3175
I've added an image stripping function and am applying the strip after the activity item is rendered.