Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

protected pages #70

Open
sunnysideup opened this issue Apr 17, 2018 · 7 comments
Open

protected pages #70

sunnysideup opened this issue Apr 17, 2018 · 7 comments

Comments

@sunnysideup
Copy link
Collaborator

sunnysideup commented Apr 17, 2018
edited
Loading

It appears to me that for the 4.3.0 version, when you have a page that is only accessible to admins then, once cached (admin browsing the site), this page is accessible to anyone. While this is logical and correct, I would suggest that "out of the box" the following is added (just a concept at this stage)

class BasicProtection extends DynamicCacheExtension {

    public function updateEnabled(&$enabled) {

        // Disable caching for this request if a user is logged in
        if (Member::currentUserID()) {
            $enabled = false;
        }

        // Disable caching for this request if in dev mode
        elseif (Director::isDev()) {
            $enabled = false;
        }

        // Disable caching for users with session data
        else {
            $session = Session::get_all();
            if($session && count($session)) {
                $enabled = false;
            }
        }
    }
}

You can then add a config option to turn off this basic protection.
@sunnysideup
Copy link
Collaborator Author

sunnysideup commented Apr 19, 2018
edited
Loading

This is what I have written:

https://github.com/sunnysideup/silverstripe-dynamic_cache_secure/blob/master/code/api/DynamicCacheSecureAndFlushable.php

I guess the issue is that, when installed, any content editor can set any page to be "ADMIN ONLY". However, in reality, if they visit the page, it will be indexed in the cache and therefore available to anyone.

@sunnysideup
Copy link
Collaborator Author

We observed some really strange behaviour:

  1. create a new page "TEST" this is only visible to admins.

  2. visit the page a few times while logged in.

  3. log out

  4. open firefox

  5. type in the URL of the TEST page ... we found that on the same machine the page was actually accessible. In the header it said: x-dynamicchache: skipped Other machines in the office could not access the page. We do not have any kind of proxy running in our office AFAIK.

@tractorcow
Copy link
Owner

What if we added member ID from the session to the cache key? Wouldn't user ID segment the cache appropriately?

@tractorcow
Copy link
Owner

Yeah, I think DynamicCache::getCacheKey() should consider user Id as well. Would that fix your issue?

@sunnysideup
Copy link
Collaborator Author

sunnysideup commented Apr 25, 2018
edited
Loading

Hi Damian,

Let me firstly say that this is an awesome module. Adding the user ID may be a good idea. This is what I wrote so far:

https://github.com/sunnysideup/silverstripe-dynamic_cache_secure/blob/master/code/api/DynamicCacheSecureAndFlushable.php

THANK YOU for your help.

@dhensby
Copy link
Contributor

dhensby commented Jul 19, 2018

@sunnysideup you want to PR anything to fix the problems you describe?

@dhensby dhensby mentioned this issue Jul 19, 2018
Open
@sunnysideup
Copy link
Collaborator Author

I will have a look at this in a few weeks only. Here is basically what I propose to add:

https://github.com/sunnysideup/silverstripe-dynamic_cache_secure/blob/master/code/api/DynamicCacheSecureAndFlushable.php

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sunnysideup @dhensby @tractorcow