Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at

  • Daniël Knippers 68 posts 439 karma points MVP c-trib
    4 days ago
    Daniël Knippers

    Preview mode requires disableFindContentByIdPath="false"

    Hi guys,

    I love this package, but one thing I don't really get is why the preview mechanism uses a request to<current-node-id>?dgtePreview=1 for its preview functionality?

    This requires the settings disableFindContentByIdPath to be set to false in umbracoSettings.config (<web.routing> element).

    Setting this to false (which I believe is actually the default for some reason) means any user in the world (including malicious ones) can get a complete list of all node IDs present in the site's Umbraco installation (by just running<node-id>; for all integers and check the response.

    While I am not sure if this poses a security issue, we like to not unnecessarily open doors. In addition, it makes no sense for a website to respond to a /<node-id> path anyway.

    Therefore we prefer to have this setting set to true. Of course, that breaks DTGE so that's not always an option.

    Long story short; would it be possible to change the preview mechanism to not rely on this fairly odd Umbraco functionality? Perhaps just use an API controller to render the preview partial view HTML -- although I know rendering a (partial) view in an API controller is not as easy as I would want it to be.

    -- Daniël

  • Lee Kelleher 3773 posts 13931 karma points MVP 8x admin c-trib
    4 days ago
    Lee Kelleher

    Hi Daniël,

    Thanks for raising this. I wasn't aware of the disableFindContentByIdPath option in umbracoSettings.config.

    DTGE's previewer has long been a thorn in my side. The original design decision was made 3 years ago and any hiccups were worked around.

    I have been wanting the preview mechanism to be completely refactored - but time, effort and dealing with backwards-compatibility have been a problem.

    See here for various efforts over the years:

    I appreciate that it's frustrating.

    For this specific disableFindContentByIdPath=true issue, I've opened a ticket on our GitHub repo:

    It has details about the unfinished previewer (in the feature/preview-unpublished branch). Which does use a WebAPI controller to render the partial. It's on the right track, needs more dev hours and testing (to make sure backwards-compatibility is good).

    - Lee

  • Daniël Knippers 68 posts 439 karma points MVP c-trib
    4 days ago
    Daniël Knippers

    Hi Lee,

    Thanks for your quick and detailed response. Good to hear there is already some work done on a new preview mechanism. Hopefully some people from the community can help with finishing the feature. I'm a bit full atm myself but let's see if I can also find some time in the near-ish future :)

    -- Daniël

Please Sign in or register to post replies

Write your reply to: