[MGNLETK-108] Cross site access should not possible over default site Created: 22/Nov/13  Updated: 09/Jan/14  Resolved: 07/Jan/14

Status: Closed
Project: Extended Templating Kit (closed)
Component/s: multisite
Affects Version/s: 2.0.5
Fix Version/s: 2.0.16

Type: Bug Priority: Critical
Reporter: Frank Sommer Assignee: Milan Divilek
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Cloners
is cloned by MGNLETK-121 CLONE - Cross site access should not ... Closed
is cloned by MULTISITE-12 Cross site access should not possible... Closed
Relates
relates to MGNLETK-112 Path handle is stripped twice thus ac... Closed
relation
supersession
is superseded by MGNLETK-116 Improve default site evaluation Closed
Template:
Acceptance criteria:
Empty
Release notes required:
Yes
Date of First Response:

 Description   

With configured cross site filter an access across sites is not possible. But there is one exception. The access with the default site is still possible.

For example:
www.site-one.com/article.html --> access to the article of site one is possible
www.site-two.com/site-one/article.html --> access is not possible
www.site-two.com/default/site-one/article.html --> access is possible



 Comments   
Comment by Jan Haderka [ 04/Jan/14 ]

how is this resolved when there's no commit in git and no comment explaining other possible ways of fixing the issue?

Comment by Mikaël Geljić [ 06/Jan/14 ]

My bad, pushed branch from master instead of m-m-etk-2.0.x :/
Anyway good you reopened it I wanted to discuss and check for potential side-effects with you

Comment by Roman Kovařík [ 07/Jan/14 ]

Make skipping of check for default site configurable.

  • check by default on author to avoid performance issue
  • skip check on public
Comment by Roman Kovařík [ 07/Jan/14 ]

TODO : Create DOCu ticket after review.

Comment by Milan Divilek [ 07/Jan/14 ]

Reopen: remove bypassDefaultSite property from configuration. By default "default" site is always allowed.

Comment by Milan Divilek [ 07/Jan/14 ]

Possibility of including the default site to cross-site check is left but turned off by default to prevent possible configuration issues.
When the default site is checked as well domain has to be properly mapped to handle all requests which originally resulted into default site. Solution is either leave the default site allowed in Cross-site filter or configure domain to map all requests which could not be resolved by path to be matched for this domain and thus set to correct site.

Generated at Mon Feb 12 01:48:33 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.