Bug #7786
closedPrivate Blog posts still show up in mainpage blog feed
0%
Description
The site https://refdesk.commons.gc.cuny.edu/ is private only to approved users (library staff).
Reading is set to option: "I would like my site to be visible only to users I add to it."
However, when a blog is posted, it appears in the Recent Post feed on the main Commons website - see Alycia Sellie's post in the screenshot provided.
Is there anyway to disenable these posts from appearing in the public recent posts feed?
thank you!
Shawn
ssmith4@gc.cuny.edu
Files
Related issues
Updated by Matt Gold about 7 years ago
- Assignee set to Boone Gorges
- Priority name changed from Normal to Urgent
Thanks for reporting, Shawn!
Updated by Boone Gorges about 7 years ago
- Category name changed from Security to Home Page
- Assignee changed from Boone Gorges to Raymond Hoh
- Target version set to 1.10.13
Thanks for the report, Shawn.
The intent is for this feed to show posts from blogs to which the logged-in user has access. In this case, we appear to have some improper cache pollution: the widget output is cached, but the cache was in this case generated by a user with read access to the post in question (maybe you!). While we investigate, I've temporarily disabled the cache feature for this specific widget. My tests show that the post is no longer shown to logged-out users. Please verify.
Ray, could you have a look? For now, I've commented out the bit in `cac_bp_widget_cache_additions()` that activates caching for our Recent Posts widget. Does the widget caching plugin have the ability to cache on a per-user basis? Maybe it's not worth the effort?
Updated by Shawnta Smith about 7 years ago
Thanks Boone,
It seems to not show up any longer. So the temporary fix worked. I'm not sure if it is the result of pollution - as it may have always been this way, and we've only just begun to notice.
Our main understanding is that even when logged out, it shows. This is a highly confidential correspondence space. If it cannot be fixed in the long-term, we may have to disable the blog altogether.
Shawn
Updated by Raymond Hoh about 7 years ago
For now, I've commented out the bit in `cac_bp_widget_cache_additions()` that activates caching for our Recent Posts widget. Does the widget caching plugin have the ability to cache on a per-user basis? Maybe it's not worth the effort?
I think removing the Recent Posts widget from our widget cache instances is the right way to go.
I didn't foresee private items being cached from the current user if that user is viewing the frontpage.
Our main understanding is that even when logged out, it shows.
Boone's hotfix should address this, so you shouldn't experience this issue any more.
Updated by Matt Gold about 7 years ago
Thanks, Boone and Ray, for handling this so quickly.
Shawn, I'm very sorry that this happened.
Updated by Shawnta Smith about 7 years ago
Wow! So speedy!
No need to apologize. Glad we caught it.
Thank you all.
Shawn
Updated by Raymond Hoh about 7 years ago
- Status changed from New to Resolved
This was my fault. Sorry that I didn't anticipate this use case, Shawn. Thanks for bringing it to our attention.
Thanks Boone for hunting down the problem.
Going to mark this as resolved.
Updated by Boone Gorges about 7 years ago
Ray, would you mind committing the hotfix from the production server, so we have a record of it?
Updated by Raymond Hoh about 7 years ago
Fixed in commit https://github.com/cuny-academic-commons/cac/commit/ae55266ef85ace6ccad3f34b9c86926ef63b5892.
Boone: On production, I cherry-picked this commit to master branch, since production is behind and has some untracked changes at the moment. (Some of the untracked changes are mine! Will address tomorrow.)
Updated by Boone Gorges over 5 years ago
- Related to Bug #10852: Allow Recent Blog Posts widget to be cached for anonymous visitors added