Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Daniël Knippers 70 posts 443 karma points MVP c-trib
    Jul 12, 2018 @ 09:29
    Daniël Knippers
    2

    Preview mode requires disableFindContentByIdPath="false"

    Hi guys,

    I love this package, but one thing I don't really get is why the preview mechanism uses a request to http://mysite.com/<current-node-id>?dgtePreview=1 for its preview functionality?

    This requires the settings disableFindContentByIdPath to be set to false in umbracoSettings.config (<web.routing> element).

    Setting this to false (which I believe is actually the default for some reason) means any user in the world (including malicious ones) can get a complete list of all node IDs present in the site's Umbraco installation (by just running http://mysite.com/<node-id>; for all integers and check the response.

    While I am not sure if this poses a security issue, we like to not unnecessarily open doors. In addition, it makes no sense for a website to respond to a /<node-id> path anyway.

    Therefore we prefer to have this setting set to true. Of course, that breaks DTGE so that's not always an option.

    Long story short; would it be possible to change the preview mechanism to not rely on this fairly odd Umbraco functionality? Perhaps just use an API controller to render the preview partial view HTML -- although I know rendering a (partial) view in an API controller is not as easy as I would want it to be.

    -- Daniël

  • Lee Kelleher 3799 posts 14048 karma points MVP 8x admin c-trib
    Jul 12, 2018 @ 10:04
    Lee Kelleher
    1

    Hi Daniël,

    Thanks for raising this. I wasn't aware of the disableFindContentByIdPath option in umbracoSettings.config.

    DTGE's previewer has long been a thorn in my side. The original design decision was made 3 years ago and any hiccups were worked around.

    I have been wanting the preview mechanism to be completely refactored - but time, effort and dealing with backwards-compatibility have been a problem.

    See here for various efforts over the years: https://github.com/umco/umbraco-doc-type-grid-editor/issues?utf8=%E2%9C%93&q=is%3Aissue+in%3Atitle+preview

    I appreciate that it's frustrating.

    For this specific disableFindContentByIdPath=true issue, I've opened a ticket on our GitHub repo: https://github.com/umco/umbraco-doc-type-grid-editor/issues/109

    It has details about the unfinished previewer (in the feature/preview-unpublished branch). Which does use a WebAPI controller to render the partial. It's on the right track, needs more dev hours and testing (to make sure backwards-compatibility is good).

    Cheers,
    - Lee

  • jeffrey.schoemaker@perplex.nl 276 posts 1064 karma points MVP 2x c-trib
    Jul 18, 2018 @ 12:51
    jeffrey.schoemaker@perplex.nl
    1

    Hi Lee,

    just a bit more info and background about the "disabledFindContentByIdPath". We have it disabled (or set to 'true' actually) in our default environment because it makes it possible to do simple node-traversal on websites and allowing to have all pages on the sites crawled even if they are not in the sitemap for example.

    Some example-pages on umbraco.com are:

    By doing node iteration you can maybe find pages that are hidden to the general public but only available for persons who know the exact url. It is security by obscurity, but we probably all have been there :P. And this makes it really easy to find these pages.

    Furthermore it can give some reference about how the code of the website is setup. If their would blog comments for example on the above blogpages, and you see that there are 10 blogcomments and the next number that gives results is https://umbraco.com/

    So for that reason I would love to see that the preview in DTGE will get some TLC so we can use DTGE & make our umbraco-install a bit safer.

    Kind regards, Jeffrey

  • Daniël Knippers 70 posts 443 karma points MVP c-trib
    Jul 12, 2018 @ 10:50
    Daniël Knippers
    1

    Hi Lee,

    Thanks for your quick and detailed response. Good to hear there is already some work done on a new preview mechanism. Hopefully some people from the community can help with finishing the feature. I'm a bit full atm myself but let's see if I can also find some time in the near-ish future :)

    -- Daniël

  • Lee Kelleher 3799 posts 14048 karma points MVP 8x admin c-trib
    Aug 03, 2018 @ 11:23
    Lee Kelleher
    1

    Just to let you guys know that we've completed the refactoring of the preview mechanism and have released a beta of v0.6.0.

    All details are here: https://github.com/umco/umbraco-doc-type-grid-editor/releases/tag/0.6.0-beta

    I've made it a beta, as we'd like to have some testers make sure that their existing DTGE implementations still work with the new previewer.

    If you guys have time/resource to test it out too, that would be hugely appreciated.

    The beta is at the following places...

    Thanks,
    - Lee

  • Daniël Knippers 70 posts 443 karma points MVP c-trib
    Aug 03, 2018 @ 11:27
    Daniël Knippers
    1

    That's amazing Lee! I'll try my best to test this next week with an existing implementation of DTGE in a project and will let you know how it went :) Hopefully some others can check it out too.

  • Lee Kelleher 3799 posts 14048 karma points MVP 8x admin c-trib
    Aug 03, 2018 @ 11:33
    Lee Kelleher
    0

    Thanks Daniël!

    I've tested it out on a couple of my client's websites, (but they are fairly old, v7.6 sites). (I haven't used DTGE on a new project recently).

    Those are working fine with the new previewer, but yeah always good to have feedback from a wider audience.

  • Daniël Knippers 70 posts 443 karma points MVP c-trib
    Aug 07, 2018 @ 09:10
    Daniël Knippers
    1

    Hi Lee,

    I just tested this is one of our sites currently in development, and it worked perfectly. It was an Umbraco 7.11.1 site with DTGE 0.5.0. I upgraded via NuGet to 0.6.0-beta and set disableFindContentByIdPath to true again.

    Everything worked as before without issues. I double checked the new previewer was used -- I can see the GetPreviewMarkup API call being used so it's all good.

    Looking forward to the final release.

  • Lee Kelleher 3799 posts 14048 karma points MVP 8x admin c-trib
    Aug 07, 2018 @ 09:13
    Lee Kelleher
    1

    Thanks Daniël, that's excellent news!

    I'll get a new release scheduled in. I'm wanting to bump the version number up to v1.0 too. (My v0.x experiment has gone on far too long now.)

  • jeffrey.schoemaker@perplex.nl 276 posts 1064 karma points MVP 2x c-trib
    Aug 07, 2018 @ 10:07
    jeffrey.schoemaker@perplex.nl
    0

    Thanks for fixing this, Lee! You've made the world a bit safer today :)!

Please Sign in or register to post replies

Write your reply to:

Draft