Bug #1660
closedAuthentication Required from jitp.commons.gc...
Added by Sarah Morgano over 12 years ago. Updated over 12 years ago.
0%
Description
Hi Boone,
I keep getting a security pop up when I'm on the HOME or NEWS page asking me to enter my username and password to access the jitp.commons.gc.cuny.edu server. I get the same message on IE8/FF8 whether I'm logged in or logged out. I've also been experiencing caching issues, so I'm not sure if it's related. I did try to access one of the blog posts earlier and have been having issues ever since. Can someone else try to replicate this issue?
Thanks,
Sarah
Files
security.jpg (47.7 KB) security.jpg | Sarah Morgano, 2012-02-27 12:21 PM |
Related issues
Updated by Matt Gold over 12 years ago
- Status changed from New to Rejected
Hi Sarah,
This is a feature, not a bug. See - http://redmine.gc.cuny.edu/issues/1648
The larger question is how you got to that link. Are posts showing up on the homepage of the Commons?
Updated by Matt Gold over 12 years ago
- Category name set to WordPress (misc)
- Status changed from Rejected to Assigned
- Assignee set to local admin
- Priority name changed from Normal to Immediate
- Target version set to Not tracked
Whoops -- didn't realize that the sign-in was appearing on the homepage -- looks like the system implemented in http://redmine.gc.cuny.edu/issues/1648 is affecting the entire site. André, may I ask you to look into this immediately? Many thanks for your help.
Updated by Boone Gorges over 12 years ago
The cause here is the Recent Blog Posts widget on the lower left. It is getting hung up when it attempts to pull assets (ie pictures) from the jitp subdomain.
A note that this only affects logged in users for whom JITP blog post show up in that Recent Blog Posts widget: super admins, and members of the site. So I think it's probably not really an issue.
Updated by Boone Gorges over 12 years ago
Er, I take that back. What I described is the way it ought to work. But blog posts are showing up for logged-out users, probably because the blog has been set to Public.
There's probably no way that André can change this from Apache settings.
Updated by local admin over 12 years ago
Couple things:
1. I tested this in production at the time, so this must be new?
2. Can we get JITP post not posted on the home-page instead?
Updated by local admin over 12 years ago
...like can we make the blog not public?
Updated by local admin over 12 years ago
...but yeah, there may be a way to prevent this: Boone, is the call for the JITP blog posts made internally or via the client request?
Updated by local admin over 12 years ago
...meanwhile I removed the htaccess
snippet to allow unfettered access to the website.
Updated by Boone Gorges over 12 years ago
- Assignee changed from local admin to Boone Gorges
Presumably the blog has to remain public, because the whole point of the .htaccess protection was to provide a method, other than Commons membership, of restricting access.
Can we get JITP post not posted on the home-page instead?
This is the solution. I will have to do an ugly hotfix. The site will be offline for a few minutes.
Updated by Boone Gorges over 12 years ago
André, it looks like you might have .htaccess open (I see a swap file owned by root). Can you close out please?
Updated by local admin over 12 years ago
Boone Gorges wrote:
Presumably the blog has to remain public, because the whole point of the .htaccess protection was to provide a method, other than Commons membership, of restricting access.
Got it.
Can we get JITP post not posted on the home-page instead?
This is the solution. I will have to do an ugly hotfix. The site will be offline for a few minutes.
What exactly is getting called from JITP here? What's the URI for the resource in question? I can't seem to locate it either via logs or firebug.
Updated by local admin over 12 years ago
Boone Gorges wrote:
André, it looks like you might have .htaccess open (I see a swap file owned by root). Can you close out please?
You got it.
Updated by local admin over 12 years ago
The CUNY Academic Commons is offline for regularly scheduled maintenance.
Is this really necessary? Can't we just work from dev?
Updated by Boone Gorges over 12 years ago
- Status changed from Assigned to Reporter Feedback
Is this really necessary? Can't we just work from dev?
Too late.
I've added a function to bp-custom.php (cac_bloc_jitp_activity()) that catches all Activity queries and manually excludes all posts from the JITP groupblog. Here is the clause:
(a.type NOT IN ('new_blog_post', 'new_blog_comment') OR a.component != 'groups' OR a.item_id != 368)
Note that this also prevents group members from seeing activity items related to the blog.
Let me know when it's OK to lift this restriction.
Updated by Matt Gold over 12 years ago
Hi All,
Thanks for your work on this and sorry I missed the ensuing conversation while I was on the subway. Just FYI, I think that a simple switch on the blog's privacy settings, from fully public to public but prevent search engines, would have had the effect of keeping this site's blog posts out of the activity stream and thus off of the homepage.
Nevertheless, thank you so much for working on this so quickly.
Best,
Matt
Updated by Boone Gorges over 12 years ago
- Status changed from Reporter Feedback to Resolved
I think that a simple switch on the blog's privacy settings, from fully public to public but prevent search engines, would have had the effect of keeping this site's blog posts out of the activity stream and thus off of the homepage.
Not for existing activity items, which were the ones causing problems.
Updated by Matt Gold over 12 years ago
Gotcha. Had I realized the potential for this, I would had them set up privacy differently from the beginning. Live and learn. Thanks for your work on this
Updated by Boone Gorges over 12 years ago
- Status changed from Resolved to Reporter Feedback
- Priority name changed from Immediate to Normal
- Target version changed from Not tracked to 1.3.9
Can I lift the restriction on this, so that JITP items appear in the main activity streams again?
Updated by Boone Gorges over 12 years ago
- Status changed from Reporter Feedback to Resolved