Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • J 447 posts 864 karma points
    Nov 27, 2021 @ 11:14
    J
    0

    Is it possible to hide the HTML for custom sections?

    I have a custom section and as per the documentation i create the HTML files at

    /app_plugins/customsection/backoffice/CustomSectionTree/edit.html

    All works and i have decorated the my class with [PluginController] and inherited my class from UmbracoAuthorizedApiController so someone must be logged in to access/view/edit the data.

    Im wondering is there a way to hide the HTML if a user works out the path for the plugin? In the above case im asking is there anyway to hide the edit.html file so it doesnt display any of the HTML?

  • Markus Johansson 1936 posts 5864 karma points MVP 2x c-trib
    Nov 29, 2021 @ 23:37
    Markus Johansson
    100

    Hi!

    Doesn’t sounds like something I’ve seen solved before. Are you planing to store sensitive information in the html-file?

    The easiest solution, as far as I can see would be to send any sensitive information from a BackofficeApiController, this would make sure that someone is logged in to the backoffice to see the sensitive part.

    If you still want to hide the html-file in Umbraco 8 I guess it might be possible with a HttpHandler or maybe som configuration in web.config.

    If you know the IPs of any editors you might be able to lock down access to the backoffice, https://our.umbraco.com/documentation/reference/security/Security-hardening/

    You could use the same approach as above with the IP but check for a auth-cookie or something for the backoffice in the rule but that would be possible to override if someone wants to put effort into it.

    At the end of the day, moving sensitive stuff to a api controller is probably the easiest and less hacky solution.

    Cheers!

  • J 447 posts 864 karma points
    Nov 30, 2021 @ 10:42
    J
    0

    Hi

    No sensitive data would be stored in the HTML file.

    I was more towards finding a way to hide the HTML controls (even though they are empty and no data is displayed when viewing the page using the direct path to it).

    For the backoffice i am using UmbracoAuthorizedApiController which only gets/displays the data from a database when a user is logged in.

    I was more curious about if there was a way to do this or not and it seems "not" as when i look at other plugins they too have the same feature where if you navigate to the direct path you can see the HTML contents.

    Thanks

  • Markus Johansson 1936 posts 5864 karma points MVP 2x c-trib
    Dec 02, 2021 @ 09:09
    Markus Johansson
    0

    Hi!

    I'm not sure what you mean with "hiding the HTML controls" if that refers to making it impossible to access the .html-file the the things I mention in the previews answer is some of the options.

    There are of course ways to hack around this, could use a "route interceptor" to avoid having the .html on disk and serve the content from a javascript file but all of this is complicated and only adds complexity. If you don't have a solid reason to "solve" the problem I would just stick with the out-of-the-box way of working.

Please Sign in or register to post replies

Write your reply to:

Draft