librelist archives

« back to archive

Block browse access to unpublished articles

Block browse access to unpublished articles

From:
Shaun Gilroy
Date:
2014-04-02 @ 17:34
Hi--

I've noticed that if you can guess the URL to an unpublished article, 
you can view it even in the publication date is in the future. Does 
anybody know a way to nix that? If an article's date is in the future, I 
don't want anyone to be able to access it.

-Shaun

Re: [nesta] Block browse access to unpublished articles

From:
Graham Ashton
Date:
2014-04-02 @ 18:51
On 2 Apr 2014, at 18:34, Shaun Gilroy <shaun@wildhuntcomic.com> wrote:

> I've noticed that if you can guess the URL to an unpublished article, 
> you can view it even in the publication date is in the future. Does 
> anybody know a way to nix that? If an article's date is in the future, I 
> don't want anyone to be able to access it.

Ah. That was rather “by design”. Do you know a way that somebody might be 
able to discover the URL?

I’ve sometimes used this “feature” to enable me to send unpublished 
articles round to people for review, prior to future publication on the 
site and in the atom feed and XML sitemap.

To override the behaviour I suspect you’ll need to modify the Page#hidden? method.

Take a look at the `select` call here, which filters the articles that are
shown by date:

https://github.com/gma/nesta/blob/master/lib/nesta/models.rb#L204

I think you’d need to modify `hidden?` down on line 217 in a similar veign.

To modify it, you can override it in your app.rb file.

Consider what follows to be pseudocode; I haven’t run it or tested it, but
it’s the first thing I’d try if I really wanted to hide pages that weren’t
yet published. On the other hand, it might just fix your problem. The 
intent is that you’d run the `cat` command in the folder that contains 
your site.

    $ cat >> app.rb
    module Nesta
      class Page
        def hidden?
          Nesta::App.production? && (draft? || date > DateTime.now)
        end
      end
    end

Cheers,
Graham



-- 
Graham Ashton
Founder, Agile Planner
https://www.agileplannerapp.com | @agileplanner | @grahamashton

Re: [nesta] Block browse access to unpublished articles

From:
Shaun Gilroy
Date:
2014-04-03 @ 06:24
Alright--

So I got this working well enough for my purposes by adding the 
following to my theme's app.rb:

*    class Page**
**        def hidden?**
**            (draft? || (date && date > DateTime.now) ) && 
Nesta::App.production?**
**        end**
**    end**
*
I had to add that first date check for pages with without a date defined 
(no '>' operator on nil objects, after all). This blocks views to 
unpublished pages in production. which is good enough for now.

I think I'll play with HTTP Auth for hidden pages in the future, but 
this is good for now. :)

-Shaun

On 4/2/14, 11:51 AM, Graham Ashton wrote:
> On 2 Apr 2014, at 18:34, Shaun Gilroy <shaun@wildhuntcomic.com> wrote:
>
>> I've noticed that if you can guess the URL to an unpublished article,
>> you can view it even in the publication date is in the future. Does
>> anybody know a way to nix that? If an article's date is in the future, I
>> don't want anyone to be able to access it.
> Ah. That was rather “by design”. Do you know a way that somebody might 
be able to discover the URL?
>
> I’ve sometimes used this “feature” to enable me to send unpublished 
articles round to people for review, prior to future publication on the 
site and in the atom feed and XML sitemap.
>
> To override the behaviour I suspect you’ll need to modify the 
Page#hidden? method.
>
> Take a look at the `select` call here, which filters the articles that 
are shown by date:
>
> https://github.com/gma/nesta/blob/master/lib/nesta/models.rb#L204
>
> I think you’d need to modify `hidden?` down on line 217 in a similar veign.
>
> To modify it, you can override it in your app.rb file.
>
> Consider what follows to be pseudocode; I haven’t run it or tested it, 
but it’s the first thing I’d try if I really wanted to hide pages that 
weren’t yet published. On the other hand, it might just fix your problem. 
The intent is that you’d run the `cat` command in the folder that contains
your site.
>
>      $ cat >> app.rb
>      module Nesta
>        class Page
>          def hidden?
>            Nesta::App.production? && (draft? || date > DateTime.now)
>          end
>        end
>      end
>
> Cheers,
> Graham
>
>
>

Re: [nesta] Block browse access to unpublished articles

From:
Shaun Gilroy
Date:
2014-04-02 @ 20:31
On 4/2/14, 11:51 AM, Graham Ashton wrote:
> On 2 Apr 2014, at 18:34, Shaun Gilroy <shaun@wildhuntcomic.com> wrote:
>
>> I've noticed that if you can guess the URL to an unpublished article,
>> you can view it even in the publication date is in the future. Does
>> anybody know a way to nix that? If an article's date is in the future, I
>> don't want anyone to be able to access it.
> Ah. That was rather "by design". Do you know a way that somebody might 
be able to discover the URL?
>
I'll give your suggestion a shot, then and see what happens.

Incidentally my use case is that I'm running a webcomic using Nesta and 
I have a page structure:

  * comic
      o chapter-1
          + page-1...

so I end up with URLs like: 
http://www.wildhuntcomic.com/comic/chapter-1/page-4 -- which is an ideal 
url for a lot of reasons. BUT if I pre-publish, page-6, for instance, it 
would be pretty easy for someone to extrapolate what the next URL page 
would be and get access to pages before I want them getting around to 
people.

So basically, I have to restrict myself to a weekly deploy for page 
updates at the moment and I'd rather queue them up ahead of time if I 
can sort this out.

-Shaun

Re: [nesta] Block browse access to unpublished articles

From:
Wynn Netherland
Date:
2014-04-02 @ 21:39
You might check out using HTTP auth [1] if @page.draft? if you want to
allow yourself to preview pages in production.

[1]: http://www.sinatrarb.com/faq.html#auth

Cheers,

***
Wynn Netherland
web: http://wynn.fm
twitter / skype / facebook: pengwynn
linkedin: http://linkedin.com/in/netherland


On Wed, Apr 2, 2014 at 3:31 PM, Shaun Gilroy <shaun@wildhuntcomic.com>wrote:

>  On 4/2/14, 11:51 AM, Graham Ashton wrote:
>
> On 2 Apr 2014, at 18:34, Shaun Gilroy <shaun@wildhuntcomic.com> 
<shaun@wildhuntcomic.com> wrote:
>
>
>  I've noticed that if you can guess the URL to an unpublished article,
> you can view it even in the publication date is in the future. Does
> anybody know a way to nix that? If an article's date is in the future, I
> don't want anyone to be able to access it.
>
>  Ah. That was rather "by design". Do you know a way that somebody might 
be able to discover the URL?
>
>
>  I'll give your suggestion a shot, then and see what happens.
>
> Incidentally my use case is that I'm running a webcomic using Nesta and I
> have a page structure:
>
>    - comic
>       - chapter-1
>          - page-1...
>
> so I end up with URLs like:
> http://www.wildhuntcomic.com/comic/chapter-1/page-4 -- which is an ideal
> url for a lot of reasons. BUT if I pre-publish, page-6, for instance, it
> would be pretty easy for someone to extrapolate what the next URL page
> would be and get access to pages before I want them getting around to
> people.
>
> So basically, I have to restrict myself to a weekly deploy for page
> updates at the moment and I'd rather queue them up ahead of time if I can
> sort this out.
>
> -Shaun
>