Project

General

Profile

Bug #7786

Private Blog posts still show up in mainpage blog feed

Added by Shawnta Smith over 4 years ago. Updated over 4 years ago.

Status:
Resolved
Priority name:
Urgent
Assignee:
Category name:
Home Page
Target version:
Start date:
2017-03-09
Due date:
% Done:

0%

Estimated time:

Description

The site https://refdesk.commons.gc.cuny.edu/ is private only to approved users (library staff).
Reading is set to option: "I would like my site to be visible only to users I add to it."

However, when a blog is posted, it appears in the Recent Post feed on the main Commons website - see Alycia Sellie's post in the screenshot provided.
Is there anyway to disenable these posts from appearing in the public recent posts feed?

thank you!

Shawn

BlogRecentPostFeed.jpg (229 KB) BlogRecentPostFeed.jpg Shawnta Smith, 2017-03-09 03:11 PM

Related issues

Related to CUNY Academic Commons - Bug #10852: Allow Recent Blog Posts widget to be cached for anonymous visitorsResolved2018-12-21

History

#1 Updated by Matt Gold over 4 years ago

  • Assignee set to Boone Gorges
  • Priority name changed from Normal to Urgent

Thanks for reporting, Shawn!

#2 Updated by Boone Gorges over 4 years ago

  • Category name changed from Security to Home Page
  • Assignee changed from Boone Gorges to Raymond Hoh
  • Target version set to 1.10.13

Thanks for the report, Shawn.

The intent is for this feed to show posts from blogs to which the logged-in user has access. In this case, we appear to have some improper cache pollution: the widget output is cached, but the cache was in this case generated by a user with read access to the post in question (maybe you!). While we investigate, I've temporarily disabled the cache feature for this specific widget. My tests show that the post is no longer shown to logged-out users. Please verify.

Ray, could you have a look? For now, I've commented out the bit in `cac_bp_widget_cache_additions()` that activates caching for our Recent Posts widget. Does the widget caching plugin have the ability to cache on a per-user basis? Maybe it's not worth the effort?

#3 Updated by Shawnta Smith over 4 years ago

Thanks Boone,
It seems to not show up any longer. So the temporary fix worked. I'm not sure if it is the result of pollution - as it may have always been this way, and we've only just begun to notice.
Our main understanding is that even when logged out, it shows. This is a highly confidential correspondence space. If it cannot be fixed in the long-term, we may have to disable the blog altogether.

Shawn

#4 Updated by Raymond Hoh over 4 years ago

For now, I've commented out the bit in `cac_bp_widget_cache_additions()` that activates caching for our Recent Posts widget. Does the widget caching plugin have the ability to cache on a per-user basis? Maybe it's not worth the effort?

I think removing the Recent Posts widget from our widget cache instances is the right way to go.

I didn't foresee private items being cached from the current user if that user is viewing the frontpage.

Our main understanding is that even when logged out, it shows.

Boone's hotfix should address this, so you shouldn't experience this issue any more.

#5 Updated by Matt Gold over 4 years ago

Thanks, Boone and Ray, for handling this so quickly.

Shawn, I'm very sorry that this happened.

#6 Updated by Shawnta Smith over 4 years ago

Wow! So speedy!
No need to apologize. Glad we caught it.
Thank you all.

Shawn

#7 Updated by Raymond Hoh over 4 years ago

  • Status changed from New to Resolved

This was my fault. Sorry that I didn't anticipate this use case, Shawn. Thanks for bringing it to our attention.

Thanks Boone for hunting down the problem.

Going to mark this as resolved.

#8 Updated by Boone Gorges over 4 years ago

Ray, would you mind committing the hotfix from the production server, so we have a record of it?

#9 Updated by Raymond Hoh over 4 years ago

Fixed in commit https://github.com/cuny-academic-commons/cac/commit/ae55266ef85ace6ccad3f34b9c86926ef63b5892.

Boone: On production, I cherry-picked this commit to master branch, since production is behind and has some untracked changes at the moment. (Some of the untracked changes are mine! Will address tomorrow.)

#10 Updated by Boone Gorges over 4 years ago

Thank you, Ray!

#11 Updated by Boone Gorges almost 3 years ago

  • Related to Bug #10852: Allow Recent Blog Posts widget to be cached for anonymous visitors added

Also available in: Atom PDF