Bug #7786
closed
Private Blog posts still show up in mainpage blog feed
Added by Shawnta Smith about 7 years ago.
Updated about 7 years ago.
Description
The site https://refdesk.commons.gc.cuny.edu/ is private only to approved users (library staff).
Reading is set to option: "I would like my site to be visible only to users I add to it."
However, when a blog is posted, it appears in the Recent Post feed on the main Commons website - see Alycia Sellie's post in the screenshot provided.
Is there anyway to disenable these posts from appearing in the public recent posts feed?
thank you!
Shawn
ssmith4@gc.cuny.edu
Files
- Assignee set to Boone Gorges
- Priority name changed from Normal to Urgent
Thanks for reporting, Shawn!
- Category name changed from Security to Home Page
- Assignee changed from Boone Gorges to Raymond Hoh
- Target version set to 1.10.13
Thanks for the report, Shawn.
The intent is for this feed to show posts from blogs to which the logged-in user has access. In this case, we appear to have some improper cache pollution: the widget output is cached, but the cache was in this case generated by a user with read access to the post in question (maybe you!). While we investigate, I've temporarily disabled the cache feature for this specific widget. My tests show that the post is no longer shown to logged-out users. Please verify.
Ray, could you have a look? For now, I've commented out the bit in `cac_bp_widget_cache_additions()` that activates caching for our Recent Posts widget. Does the widget caching plugin have the ability to cache on a per-user basis? Maybe it's not worth the effort?
Thanks Boone,
It seems to not show up any longer. So the temporary fix worked. I'm not sure if it is the result of pollution - as it may have always been this way, and we've only just begun to notice.
Our main understanding is that even when logged out, it shows. This is a highly confidential correspondence space. If it cannot be fixed in the long-term, we may have to disable the blog altogether.
Shawn
For now, I've commented out the bit in `cac_bp_widget_cache_additions()` that activates caching for our Recent Posts widget. Does the widget caching plugin have the ability to cache on a per-user basis? Maybe it's not worth the effort?
I think removing the Recent Posts widget from our widget cache instances is the right way to go.
I didn't foresee private items being cached from the current user if that user is viewing the frontpage.
Our main understanding is that even when logged out, it shows.
Boone's hotfix should address this, so you shouldn't experience this issue any more.
Thanks, Boone and Ray, for handling this so quickly.
Shawn, I'm very sorry that this happened.
Wow! So speedy!
No need to apologize. Glad we caught it.
Thank you all.
Shawn
- Status changed from New to Resolved
This was my fault. Sorry that I didn't anticipate this use case, Shawn. Thanks for bringing it to our attention.
Thanks Boone for hunting down the problem.
Going to mark this as resolved.
Ray, would you mind committing the hotfix from the production server, so we have a record of it?
- Related to Bug #10852: Allow Recent Blog Posts widget to be cached for anonymous visitors added
Also available in: Atom
PDF
