This requires the settings disableFindContentByIdPath to be set to false in umbracoSettings.config (<web.routing> element).
Setting this to false (which I believe is actually the default for some reason) means any user in the world (including malicious ones) can get a complete list of all node IDs present in the site's Umbraco installation (by just running http://mysite.com/<node-id>; for all integers and check the response.
While I am not sure if this poses a security issue, we like to not unnecessarily open doors. In addition, it makes no sense for a website to respond to a /<node-id> path anyway.
Therefore we prefer to have this setting set to true. Of course, that breaks DTGE so that's not always an option.
Long story short; would it be possible to change the preview mechanism to not rely on this fairly odd Umbraco functionality? Perhaps just use an API controller to render the preview partial view HTML -- although I know rendering a (partial) view in an API controller is not as easy as I would want it to be.
It has details about the unfinished previewer (in the feature/preview-unpublished branch). Which does use a WebAPI controller to render the partial. It's on the right track, needs more dev hours and testing (to make sure backwards-compatibility is good).
just a bit more info and background about the "disabledFindContentByIdPath". We have it disabled (or set to 'true' actually) in our default environment because it makes it possible to do simple node-traversal on websites and allowing to have all pages on the sites crawled even if they are not in the sitemap for example.
By doing node iteration you can maybe find pages that are hidden to the general public but only available for persons who know the exact url. It is security by obscurity, but we probably all have been there :P. And this makes it really easy to find these pages.
Furthermore it can give some reference about how the code of the website is setup. If their would blog comments for example on the above blogpages, and you see that there are 10 blogcomments and the next number that gives results is https://umbraco.com/
So for that reason I would love to see that the preview in DTGE will get some TLC so we can use DTGE & make our umbraco-install a bit safer.
Thanks for your quick and detailed response. Good to hear there is already some work done on a new preview mechanism. Hopefully some people from the community can help with finishing the feature. I'm a bit full atm myself but let's see if I can also find some time in the near-ish future :)
That's amazing Lee! I'll try my best to test this next week with an existing implementation of DTGE in a project and will let you know how it went :) Hopefully some others can check it out too.
I just tested this is one of our sites currently in development, and it worked perfectly. It was an Umbraco 7.11.1 site with DTGE 0.5.0. I upgraded via NuGet to 0.6.0-beta and set disableFindContentByIdPath to true again.
Everything worked as before without issues. I double checked the new previewer was used -- I can see the GetPreviewMarkup API call being used so it's all good.
Preview mode requires disableFindContentByIdPath="false"
Hi guys,
I love this package, but one thing I don't really get is why the preview mechanism uses a request to
http://mysite.com/<current-node-id>?dgtePreview=1for its preview functionality?This requires the settings
disableFindContentByIdPathto be set tofalseinumbracoSettings.config(<web.routing>element).Setting this to
false(which I believe is actually the default for some reason) means any user in the world (including malicious ones) can get a complete list of all node IDs present in the site's Umbraco installation (by just runninghttp://mysite.com/<node-id>;for all integers and check the response.While I am not sure if this poses a security issue, we like to not unnecessarily open doors. In addition, it makes no sense for a website to respond to a
/<node-id>path anyway.Therefore we prefer to have this setting set to
true. Of course, that breaks DTGE so that's not always an option.Long story short; would it be possible to change the preview mechanism to not rely on this fairly odd Umbraco functionality? Perhaps just use an API controller to render the preview partial view HTML -- although I know rendering a (partial) view in an API controller is not as easy as I would want it to be.
-- Daniël
Hi Daniël,
Thanks for raising this. I wasn't aware of the
disableFindContentByIdPathoption in umbracoSettings.config.DTGE's previewer has long been a thorn in my side. The original design decision was made 3 years ago and any hiccups were worked around.
I have been wanting the preview mechanism to be completely refactored - but time, effort and dealing with backwards-compatibility have been a problem.
See here for various efforts over the years: https://github.com/umco/umbraco-doc-type-grid-editor/issues?utf8=%E2%9C%93&q=is%3Aissue+in%3Atitle+preview
I appreciate that it's frustrating.
For this specific
disableFindContentByIdPath=trueissue, I've opened a ticket on our GitHub repo: https://github.com/umco/umbraco-doc-type-grid-editor/issues/109It has details about the unfinished previewer (in the
feature/preview-unpublishedbranch). Which does use a WebAPI controller to render the partial. It's on the right track, needs more dev hours and testing (to make sure backwards-compatibility is good).Cheers,
- Lee
Hi Lee,
just a bit more info and background about the "disabledFindContentByIdPath". We have it disabled (or set to 'true' actually) in our default environment because it makes it possible to do simple node-traversal on websites and allowing to have all pages on the sites crawled even if they are not in the sitemap for example.
Some example-pages on umbraco.com are:
By doing node iteration you can maybe find pages that are hidden to the general public but only available for persons who know the exact url. It is security by obscurity, but we probably all have been there :P. And this makes it really easy to find these pages.
Furthermore it can give some reference about how the code of the website is setup. If their would blog comments for example on the above blogpages, and you see that there are 10 blogcomments and the next number that gives results is https://umbraco.com/
So for that reason I would love to see that the preview in DTGE will get some TLC so we can use DTGE & make our umbraco-install a bit safer.
Kind regards, Jeffrey
Hi Lee,
Thanks for your quick and detailed response. Good to hear there is already some work done on a new preview mechanism. Hopefully some people from the community can help with finishing the feature. I'm a bit full atm myself but let's see if I can also find some time in the near-ish future :)
-- Daniël
Just to let you guys know that we've completed the refactoring of the preview mechanism and have released a beta of v0.6.0.
All details are here: https://github.com/umco/umbraco-doc-type-grid-editor/releases/tag/0.6.0-beta
I've made it a beta, as we'd like to have some testers make sure that their existing DTGE implementations still work with the new previewer.
If you guys have time/resource to test it out too, that would be hugely appreciated.
The beta is at the following places...
Thanks,
- Lee
That's amazing Lee! I'll try my best to test this next week with an existing implementation of DTGE in a project and will let you know how it went :) Hopefully some others can check it out too.
Thanks Daniël!
I've tested it out on a couple of my client's websites, (but they are fairly old, v7.6 sites). (I haven't used DTGE on a new project recently).
Those are working fine with the new previewer, but yeah always good to have feedback from a wider audience.
Hi Lee,
I just tested this is one of our sites currently in development, and it worked perfectly. It was an Umbraco 7.11.1 site with DTGE 0.5.0. I upgraded via NuGet to 0.6.0-beta and set
disableFindContentByIdPathtotrueagain.Everything worked as before without issues. I double checked the new previewer was used -- I can see the
GetPreviewMarkupAPI call being used so it's all good.Looking forward to the final release.
Thanks Daniël, that's excellent news!
I'll get a new release scheduled in. I'm wanting to bump the version number up to v1.0 too. (My v0.x experiment has gone on far too long now.)
Thanks for fixing this, Lee! You've made the world a bit safer today :)!
Hi Lee,
Any idea when you will release the new version :-)? We are eagerly awaiting this amazing upgrade!
Hi Daniël, I'm back from vacation now, I've added the release to my todo list :-)
@Lee Great!
Hi Daniël,
Overdue, DTGE v0.6.0 (non-beta) has been released! Apologies for the wait.
https://github.com/umco/umbraco-doc-type-grid-editor/releases/tag/0.6.0
Cheers,
- Lee
Thanks Lee, great it's out of beta and we are happy to wait a bit for your great work, no worries :-)!
Maybe the documentation should be updated.
Im new to dtge love it so far, but I was just sitting and trying the old way because I looked in the documentaion :D
I like the update tho.
Hi Dan,
I thought I'd updated the documentation, what did I miss?
If there's anything you think could be clearer, let me know - or better yet, send over the gift of a pull-request.
Thanks,
- Lee
Hi Lee
It was Just in the "Doc-Type-Grid-Editor---Developers-Guide.pdf" :)
Thanks Dan. I'd forgot that was still linked on the project page, I'll remove it.
Latest dev guide is on the GitHub repo: https://github.com/umco/umbraco-doc-type-grid-editor/blob/develop/docs/developers-guide.md
I'll update the project page soon.
Cheers,
- Lee
is working on a reply...