Closed (won't fix)
Project:
Drupal.org CVS applications
Component:
new project application
Priority:
Normal
Category:
Task
Assigned:
Unassigned
Issue tags:
Reporter:
Created:
24 Jan 2011 at 00:10 UTC
Updated:
18 Aug 2018 at 17:25 UTC
Jump to comment: Most recent, Most recent file
Comments
Comment #1
cafa commentedModule name: duaccess
Tested: Drupal 7
This module addresses a need discussed in the two threads listed at the bottom of this comment. Specifically, the ability to keep a user from bringing up a site's content by using the node/number form of the url( node/3, ?q=node/3, index.php?q=node/3, etc.).
There are many practical reasons why a site's owner might want content to be semi-private, that is, to be available publicly but only to those knowing the alias.
One example, a person using Drupal could create 5 different resumes/cover-letters and set setting each node alias to some arbitrary string and email the aliased URL to the HR department.
However a savvy HR representative or tech team, instead of using the alias they received, might be expected to try up nodes by the node/number instead, Drupal creates nodes sequentially and many small Drupal installations have less than 50 nodes. It wouldn't take long for an organization to find all the cover-letters/resumes on it.
My module fixes this for those Drupal users who need this type of functionality. Nodes can only be viewed when a person uses the node alias value, a node number won't work.
A demonstration:
Each of the four URLs below point to the same page on my website but only the last one shows any content. You can mouse-over the comment link when you bring up the page to see its really node/8. Try it and see what you think.
http://stanik.us/node/8
http://stanik.us/?q=node/8
http://stanik.us/index.php/?q=node/8
http://stanik.us/drupal/spirit
Here are a posts where others have been looking for an answer to a similar problem.
http://drupal.org/node/500296
http://drupal.org/node/881182
Comment #2
avpadernoHello, and thank you for applying for a CVS account. I am adding the review tags, and some volunteers will review the code, pointing out what it needs to be changed.
I will report here a little checklist:
As per requirements, the motivation message should include more than two sentences (the exact words are a few paragraphs) that describe the project features. For themes, it should include also a screenshot of the theme (at least 640x400 pixels), and (when possible) a link to a working demo site; for modules, it should include also a comparison with the existing solutions.
Comment #3
cafa commentedI've fixed the warnings that the 'coder' has identified and ready to give you an updated version when you are ready.
Where do I update the "motivational" message;. Is this a field in the code somewhere or on the website itself? Let me know and I'll update.
I'm not using their party files so bullet point #2 doesn't apply. I don't include a license file, point #3 doesn't apply.
Comment #4
avpadernoHello, cafa.
Just write the updated, expanded motivation in a comment here.
Comment #5
cafa commentedMotivation statement:
This module blocks URLs form accessing content using the "node/number" form of the Drupal URL, example.com/node/123, example.com/?q=node/123, example.com/index.php?q=node/123, forcing a user to use a node's alias instead.
Without this functionality it is impossible to hide certain content behind secretive node aliases when a competitor or anyone can scan the entire site using node values, node/1, node/2, .... node/N. For small Drupal sites having a limited number of nodes, node scans are a concern.
A website owner needs content to be accessible by only the node-alias when they are distributing semi-published items using unique URLs (project-x/spec-12345) for things like specifications, data-sheets, press releases or other sensitive information.
This module is configurable by role, using Drupal permissions. A site's owner can apply blocking so it affects only the unauthenticated user but regular logged-in users are unaffected. The administrator account is never blocked.
The functionality this module provides is different than what the redirect modules do. When the redirect module gets a node/number URL, it looks up the alias and does a browser redirect to the new name; node scanning is still possible. This module blocks node/number to alias-name redirects.
Comment #6
cafa commentedComment #7
cafa commentedIs been almost a week since I've heard anything. Are you waiting for me to do something that I'm supposed to but I'm not doing it because I don't know what it is?
Let me know.
Comment #8
zzolo commentedHi. Please read all the following and the links provided as this is very important information about your CVS Application:
Drupal.org has moved from CVS to Git! This is a very significant change for the Drupal community and for your application. Please read the following documentation on how this affects and benefits you and the application process:
Migrating from CVS Applications to (Git) Full Project Applications
Comment #9
avpadernoAs per previous comment, I am setting this issue as Won't fix.
Since new users can now create full projects, applications have a different purpose and they are handled on a different issue queue. See Apply for permission to opt into security advisory coverage for more information.