posts in restricted categories shown on user profile page
By Julius de Kempenaer on Saturday, 03 January 2015
Posted in Technical Issues
Replies 5
Likes 0
Views 804
Votes 0
while checking the redirects on my site I noticed that there were a number of 404 hits on certain discussion posts.

These posts belong to a category that is only accessible to a restricted group of users. Further investigation learned that the links that caused the 404s are perfectly fine but only when a user, belonging to the proper group, is logged in. Trying to access that link as 'public' or a different group causes the 404.

The 'referring page' shown in the redirects is the profile page which lists all posts posted by that user.

Now the 'strange' things I see are:

1. The profile page of the user displays posts in restricted categories to users that have no access to those categories. I think those posts should be hidden from users that hav no access to these categories.

2. When a user clicks a link to a post which is restricted to them a 404 is triggered. I think a login page should be shown instead, maybe together with a message that user has no access to that category.

Obviously when these restricted posts are not shown on the user profile, other users cannot click the links and a 404 will never be triggered.....
Hello Julius,

Hm, sorry but not really sure if I understand you here. How can I reproduce this issue on the site? The reason that a 404 is generated is actually because this would let Google know that these pages shouldn't be indexed. If it displays a login form / redirection, Google would think that these are actually duplicate pages.
Mark
·
Saturday, 03 January 2015 16:52
·
0 Likes
·
0 Votes
·
0 Comments
·
Hi Mark,

with regard to the 404. that sends the message that a page does not exist. I agree with your reasoning that google should not index that page but sending a 404 tells google that the page does not exist, which is not true, the page def exists. Following the same rationale I would say that a 403 forbidden should be sent to google or anyone else who tries to hit the page unauthorizes for that matter.... ?

How to reproduce it is In the optional text field in site details.

Also what about the displaying of posts in a restricted category on a profile page to users who do not have access to that category?

jk
Julius de Kempenaer
·
Wednesday, 07 January 2015 05:55
·
0 Likes
·
0 Votes
·
0 Comments
·
Hello Julien,

Sorry for the delay of this reply, extremely occupied with the development of EasyBlog 5. Hm, yeah you are right! I think it should display a 403 access denied rather than a 404 page. If you can provide me with the FTP access, I can quickly add a fix for the site.
Mark
·
Thursday, 08 January 2015 00:28
·
0 Likes
·
0 Votes
·
0 Comments
·
Hi Mark, Thanks for agreeing

Instead of fixing the 404 to 403 how about preventing these posts to be shown to user with no access to the category in the first place? THAT is the root cause of the problem to begin with.

Furthermore. If you fix it now, what will happen when I upgrade ED to a newer version? I assume the "fix" will be overwritten and we're back to square 1 ?

Julius
Julius de Kempenaer
·
Thursday, 08 January 2015 05:49
·
0 Likes
·
0 Votes
·
0 Comments
·
Hello Julius,

Good point there. We should fix the root cause. You can provide us your FTP so we can directly fix it in your site. And this fix will be included in the next release.
Nik Faris
·
Thursday, 08 January 2015 11:13
·
0 Likes
·
0 Votes
·
0 Comments
·
View Full Post