Private Blog posts still show up in mainpage blog feed
The site https://refdesk.commons.gc.cuny.edu/ is private only to approved users (library staff).
Reading is set to option: "I would like my site to be visible only to users I add to it."
However, when a blog is posted, it appears in the Recent Post feed on the main Commons website - see Alycia Sellie's post in the screenshot provided.
Is there anyway to disenable these posts from appearing in the public recent posts feed?
#2 Updated by Boone Gorges over 4 years ago
- Category name changed from Security to Home Page
- Assignee changed from Boone Gorges to Raymond Hoh
- Target version set to 1.10.13
Thanks for the report, Shawn.
The intent is for this feed to show posts from blogs to which the logged-in user has access. In this case, we appear to have some improper cache pollution: the widget output is cached, but the cache was in this case generated by a user with read access to the post in question (maybe you!). While we investigate, I've temporarily disabled the cache feature for this specific widget. My tests show that the post is no longer shown to logged-out users. Please verify.
Ray, could you have a look? For now, I've commented out the bit in `cac_bp_widget_cache_additions()` that activates caching for our Recent Posts widget. Does the widget caching plugin have the ability to cache on a per-user basis? Maybe it's not worth the effort?
#3 Updated by Shawnta Smith over 4 years ago
It seems to not show up any longer. So the temporary fix worked. I'm not sure if it is the result of pollution - as it may have always been this way, and we've only just begun to notice.
Our main understanding is that even when logged out, it shows. This is a highly confidential correspondence space. If it cannot be fixed in the long-term, we may have to disable the blog altogether.
#4 Updated by Raymond Hoh over 4 years ago
For now, I've commented out the bit in `cac_bp_widget_cache_additions()` that activates caching for our Recent Posts widget. Does the widget caching plugin have the ability to cache on a per-user basis? Maybe it's not worth the effort?
I think removing the Recent Posts widget from our widget cache instances is the right way to go.
I didn't foresee private items being cached from the current user if that user is viewing the frontpage.
Our main understanding is that even when logged out, it shows.
Boone's hotfix should address this, so you shouldn't experience this issue any more.
#9 Updated by Raymond Hoh over 4 years ago
Boone: On production, I cherry-picked this commit to master branch, since production is behind and has some untracked changes at the moment. (Some of the untracked changes are mine! Will address tomorrow.)