[MULTISITE-63] Using site A prefix + node path from site B passes CrossSite filter Created: 01/Aug/16  Updated: 21/Dec/16  Resolved: 16/Dec/16

Status: Closed
Project: Magnolia Multisite Module
Component/s: None
Affects Version/s: 1.2.3
Fix Version/s: None

Type: Bug Priority: Major
Reporter: jessica nash Assignee: Ilgun Ilgun
Resolution: Duplicate Votes: 0
Labels: Timeboxed
Remaining Estimate: 0d
Time Spent: 0.25d
Original Estimate: Not Specified

Attachments: PNG File crossSite_resolvers.png     PNG File resolver4author_scope.png    
Issue Links:
Relates
relates to MULTISITE-55 Re-evaluate cross site access rules Closed
relates to MAGNOLIA-6388 Uri2RepositoryMapping.getHandle() all... Closed
causality
duplicate
duplicates MAGNOLIA-6882 Remove legacy code that allows to acc... Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Documentation update required:
Yes
Date of First Response:
Sprint: Basel 74
Story Points: 8

 Description   

To reproduce (following setting is for 5.4.5 STK, but it is also reproducible on higher Magnolia versions):

Notes

  • The first part of the link (http://www.test1.com:8080/magnoliaAuthor/demo-project/) is correct, but the second part (/demo-features/content-templates/article) comes from a different site, which should be evaluated as non-existent and therefore receive 404. Now it renders the "demo-features" content (which is mapped to www.test2.com domain).
  • "http://www.test1.com:8080/magnoliaAuthor/demo-project/foo" correctly receives 404 because there is not any "foo" page


 Comments   
Comment by Philip Mundt [ 08/Aug/16 ]

I was able to reproduce this behaviour. Only the first (root) node of any page in the website workspace is accessible (if everything is setup accordingly). This is due to the default URI2RepositoryMapping resolving (and obviously finding) the node path to the respective node. Any subsequent link will result in a 404 (STK sites need to be modified in order to achieve this).

Possible solution would involve not resolving a node in info.magnolia.multisite.MultiSiteURI2RepositoryManager when given path is mapped to a different site (not the one that was resolved).

Comment by Philip Mundt [ 13/Dec/16 ]

Cross-site access via <sitename> prefix

Add custom resolvers to crossSite filter that

a) Prevents access from allToAll
b) Allows access from domainA to siteA
c) Allows access from domainB to siteB

Works when accessing the root page (/<sitename>) of the page only

NOTE: MAGNOLIA-6882 (and its counterpart in MULTISITE-69) might actually be responsible for fixing previous issue where it was possible to access subnodes of a different site by suffixing the domain with the <sitename>, e.g. wwww.domainA.com/siteA/some-node/from/siteB.html

Adding such resolvers will however break admin / page editor as access from allToAll doesn't work anymore. But there is a feasible workaround for this particular scenario, which is adding another resolver such as:

d) Allows access from domainAuthor to .* (any site)

Even after renaming the sites to have sitename that differ from the root nodes, the solution still works. E.g. __siteA vs. node:siteA

Comment by Jaroslav Simak [ 16/Dec/16 ]

NOTE: MAGNOLIA-6882 (and its counterpart in MULTISITE-69) might actually be responsible for fixing previous issue where it was possible to access subnodes of a different site by suffixing the domain with the <sitename>, e.g. wwww.domainA.com/siteA/some-node/from/siteB.html

True, that should be fixed by those tickets you mentioned.

Comment by Martin DrĂ¡pela [ 21/Dec/16 ]

Elaborating on Philip's comment above, the following procedure worked to allow the author access and edit the "opposite" pages:

  1. adding a new resolver, called "magnoliaAuthor" provisionally
  2. add the context property to the resolver and setting it to "/magnoliaAuthor"
  3. increasing the generality of the fromDomain property to ".*\.magnolia-cms.com"

It is nevertheless rather difficult to describe a solution suitable for everyone as there will be a number of server (Author/Public) configurations out there.

Generated at Mon Feb 12 06:06:03 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.