Umbraco incorrectly allows two URLs for node with spaces in title
Hi, if I have a node called say "Great Page", Umbraco will correctly tell me that the relative URL is /great-page. If I have an appropriately created controller than inherits from RenderMvcController, this code will be correctly hit and I can generate a custom model (let's call it GreatPageModel), which my View can consume by adding the line
This all works great. However, if I go to the URL /greatpage (note the missing dash), it will attempt to access my view. It will NOT however run any of the code in my controller, and therefore not generate the appropriate model type, and not run any authorisation or other attributes that I may have decorated on my controller action. This results in a YSOD of
The model item passed into the dictionary is of type 'Umbraco.Web.Models.RenderModel', but this dictionary requires a model item of type 'XXX.Models.GreatPageModel'.
There seem to be a number of problems:
1) There is the possibility of more than one URL for the same resource - bad from an SEO point of view
2) It renders the view without running any of your server side code - this is particularly insidious if you were not generating a custom model instance, as the page would not YSOD but any [Attributes] you had on the controller would not fire, possibly circumventing authorisation, logging etc
3) You get a 500, rather than the 404 you would expect.
Does anyone know how you would go about disallowing Umbraco from routing to the node where the dashes have been artificically removed?
To elaborate on the security issue I mentioned as 2), suppose a controller action like this:
[Authorize]
public override ActionResult Index(RenderModel model)
{
return CurrentTemplate(model);
}
All that does is ensure that the request must be authorised (see the attribute on the method). However, you can completely bypass the authorisation by just accessing the page with the dashes removed from the URL. The page will render fine, but the controller will not be hit.
Umbraco incorrectly allows two URLs for node with spaces in title
Hi, if I have a node called say "Great Page", Umbraco will correctly tell me that the relative URL is /great-page. If I have an appropriately created controller than inherits from RenderMvcController, this code will be correctly hit and I can generate a custom model (let's call it GreatPageModel), which my View can consume by adding the line
@inherits UmbracoViewPage<XXXX.Models.GreatPageModel>
This all works great. However, if I go to the URL /greatpage (note the missing dash), it will attempt to access my view. It will NOT however run any of the code in my controller, and therefore not generate the appropriate model type, and not run any authorisation or other attributes that I may have decorated on my controller action. This results in a YSOD of
The model item passed into the dictionary is of type 'Umbraco.Web.Models.RenderModel', but this dictionary requires a model item of type 'XXX.Models.GreatPageModel'.
There seem to be a number of problems:
1) There is the possibility of more than one URL for the same resource - bad from an SEO point of view
2) It renders the view without running any of your server side code - this is particularly insidious if you were not generating a custom model instance, as the page would not YSOD but any [Attributes] you had on the controller would not fire, possibly circumventing authorisation, logging etc
3) You get a 500, rather than the 404 you would expect.
Does anyone know how you would go about disallowing Umbraco from routing to the node where the dashes have been artificically removed?
Thanks.
To elaborate on the security issue I mentioned as 2), suppose a controller action like this:
[Authorize]
public override ActionResult Index(RenderModel model)
{
return CurrentTemplate(model);
}
All that does is ensure that the request must be authorised (see the attribute on the method). However, you can completely bypass the authorisation by just accessing the page with the dashes removed from the URL. The page will render fine, but the controller will not be hit.
is working on a reply...