Bug #10209: Additional login prompt - CUNY Academic Commons - CUNY Graduate Center - Project Tracking System

Custom queries

. 2.3.7 open
2.4.0 open
2.4.0 open (by category)
2.4.0 open (by tracker)
High Priority Issues by User
Inbox (no milestone)
My Assigned Issues (by milestone)
My Watched Issues (by milestone)
Not Tracked - grouped by assignee
Not tracked (milestone-independent)

Actions

Copy link

Bug #10209

closed

Additional login prompt

Added by Matt Gold over 5 years ago. Updated over 5 years ago.

Status:

Resolved

Priority name:

Normal

Assignee:

Raymond Hoh

Category name:

BuddyPress (misc)

Target version:

1.13.8

Start date:

2018-08-22

Due date:

% Done:

Estimated time:

Deployment actions:

Description

When I visit the CAC as a logged-in user, I receive a log-in prompt from bbhosted.cuny.edu. Please see the attached screenshot. I can dismiss the prompt and take actions as usual while still being logged in, but I'm unclear on why I am seeing the prompt

Files

Screen Shot 2018-08-22 at 7.54.43 PM.png (441 KB) Screen Shot 2018-08-22 at 7.54.43 PM.png

Matt Gold, 2018-08-22 08:01 PM

History
Notes

Actions

Copy link

Updated by Boone Gorges over 5 years ago

This happened because someone embedded an image into a blog post, and the image required HTTP authentication, and the post was syndicated to the activity stream on the front end. It's now disappeared from the scroll on the front page, so it's not an immediate issue.

I'm not sure how to protect against this in the future. Some ideas - Ray, let me know if you have more.

1. Strip images in front-page activity stream based on a domain blacklist. Advantages: Unlikely to have side effects. Disadvantages: Images may be unavailable based on things other than domain (HTTP auth for specific URLs, 404s, access control other than HTTP auth)
2. Strip all images in front-page activity stream. Advantages: Eliminates the problem. Disadvantages: Way too broad, makes the content on the home page less engaging.
3. Strip images in front-page activity stream if they're pulled from a domain other than the URL of the source site. Advantages: Strikes a balance between the breadth of the two strategies above. Disadvantages: Still susceptible to 404s; potentially strips valuable content from legitimate third-party sources.

Actions

Copy link

Updated by Raymond Hoh over 5 years ago

I'd go with option 1, the blacklist option.

There are not many people that would link to HTTP-auth resources, so in this case we would just remove images from the activity stream matching the bbhosted.cuny.edu domain.

I guess a more, broad approach would be to check image links before saving them into the wp_bp_activity database table. Downsides are the usage of wp_remote_head() and checking a post with a ton of images.

Actions

Copy link

Updated by Boone Gorges over 5 years ago

Assignee changed from Boone Gorges to Raymond Hoh
Target version set to 1.13.8

Yeah, I think you're right about using the blacklist. This is obviously a very uncommon issue. (Your suggestion of checking external resources at the time of activity recording is good, but it wouldn't even be foolproof, since the availability of an asset might change between the time of recording and the time of rendering.)

Would you mind writing a filter that strips images from the activity stream when they come from a domain blacklist (which can be defined inline IMO)?

Actions

Copy link