Project

General

Profile

Bug #10209

Additional login prompt

Added by Matt Gold 8 months ago. Updated 8 months ago.

Status:
Resolved
Priority name:
Normal
Assignee:
Category name:
BuddyPress (misc)
Target version:
Start date:
2018-08-22
Due date:
% Done:

0%

Estimated time:

Description

When I visit the CAC as a logged-in user, I receive a log-in prompt from bbhosted.cuny.edu. Please see the attached screenshot. I can dismiss the prompt and take actions as usual while still being logged in, but I'm unclear on why I am seeing the prompt

History

#1 Updated by Boone Gorges 8 months ago

This happened because someone embedded an image into a blog post, and the image required HTTP authentication, and the post was syndicated to the activity stream on the front end. It's now disappeared from the scroll on the front page, so it's not an immediate issue.

I'm not sure how to protect against this in the future. Some ideas - Ray, let me know if you have more.

1. Strip images in front-page activity stream based on a domain blacklist. Advantages: Unlikely to have side effects. Disadvantages: Images may be unavailable based on things other than domain (HTTP auth for specific URLs, 404s, access control other than HTTP auth)
2. Strip all images in front-page activity stream. Advantages: Eliminates the problem. Disadvantages: Way too broad, makes the content on the home page less engaging.
3. Strip images in front-page activity stream if they're pulled from a domain other than the URL of the source site. Advantages: Strikes a balance between the breadth of the two strategies above. Disadvantages: Still susceptible to 404s; potentially strips valuable content from legitimate third-party sources.

#2 Updated by Raymond Hoh 8 months ago

I'd go with option 1, the blacklist option.

There are not many people that would link to HTTP-auth resources, so in this case we would just remove images from the activity stream matching the bbhosted.cuny.edu domain.

I guess a more, broad approach would be to check image links before saving them into the wp_bp_activity database table. Downsides are the usage of wp_remote_head() and checking a post with a ton of images.

#3 Updated by Boone Gorges 8 months ago

  • Assignee changed from Boone Gorges to Raymond Hoh
  • Target version set to 1.13.8

Yeah, I think you're right about using the blacklist. This is obviously a very uncommon issue. (Your suggestion of checking external resources at the time of activity recording is good, but it wouldn't even be foolproof, since the availability of an asset might change between the time of recording and the time of rendering.)

Would you mind writing a filter that strips images from the activity stream when they come from a domain blacklist (which can be defined inline IMO)?

#4 Updated by Raymond Hoh 8 months ago

  • Category name set to BuddyPress (misc)
  • Status changed from Assigned to Resolved

See https://github.com/cuny-academic-commons/cac/commit/8f3f2b6486f8195bedf56b0c6a74476e5ecd3175

I've added an image stripping function and am applying the strip after the activity item is rendered.

#5 Updated by Boone Gorges 8 months ago

Thanks, Ray!

Also available in: Atom PDF