CVS edit link for cafa

I wrote a module that I'm using on my site which other people talked about wanting that functionality in the forums but there was no real solution.

Module is for Drupal 7 and I'll maintain it.

CommentFileSizeAuthor
#1 duaccess.tar_.gz1.25 KBcafa

Comments

cafa’s picture

Component: Miscellaneous » miscellaneous
Status: Postponed (maintainer needs more info) » Needs review
StatusFileSize
new1.25 KB

Module name: duaccess
Tested: Drupal 7

This module addresses a need discussed in the two threads listed at the bottom of this comment. Specifically, the ability to keep a user from bringing up a site's content by using the node/number form of the url( node/3, ?q=node/3, index.php?q=node/3, etc.).

There are many practical reasons why a site's owner might want content to be semi-private, that is, to be available publicly but only to those knowing the alias.

One example, a person using Drupal could create 5 different resumes/cover-letters and set setting each node alias to some arbitrary string and email the aliased URL to the HR department.

However a savvy HR representative or tech team, instead of using the alias they received, might be expected to try up nodes by the node/number instead, Drupal creates nodes sequentially and many small Drupal installations have less than 50 nodes. It wouldn't take long for an organization to find all the cover-letters/resumes on it.

My module fixes this for those Drupal users who need this type of functionality. Nodes can only be viewed when a person uses the node alias value, a node number won't work.

A demonstration:

Each of the four URLs below point to the same page on my website but only the last one shows any content. You can mouse-over the comment link when you bring up the page to see its really node/8. Try it and see what you think.

http://stanik.us/node/8
http://stanik.us/?q=node/8
http://stanik.us/index.php/?q=node/8
http://stanik.us/drupal/spirit

Here are a posts where others have been looking for an answer to a similar problem.

http://drupal.org/node/500296
http://drupal.org/node/881182

avpaderno’s picture

Component: miscellaneous » new project application
Status: Needs review » Needs work
Issue tags: +Module review

Hello, and thank you for applying for a CVS account. I am adding the review tags, and some volunteers will review the code, pointing out what it needs to be changed.

I will report here a little checklist:

  • The code needs to follow the coding standards; check in particular the format used for the control structures, and the name given to PHP variables, Drupal persistent variables, functions defined from the module.
  • Files available from third-party sites should not be included within the module/theme. This is particularly true for files that are not licensed under GPL License v2, but it is also true for files that are licensed under the same license used by Drupal.
  • The license file should not be included as well; the packaging script already include that file. In any cases, the code for modules/themes committed in drupal.org repository needs to be released under the same license used by Drupal; any compatible license is not allowed.
  • Check the code passes the Coder validation.

As per requirements, the motivation message should include more than two sentences (the exact words are a few paragraphs) that describe the project features. For themes, it should include also a screenshot of the theme (at least 640x400 pixels), and (when possible) a link to a working demo site; for modules, it should include also a comparison with the existing solutions.

cafa’s picture

I've fixed the warnings that the 'coder' has identified and ready to give you an updated version when you are ready.

Where do I update the "motivational" message;. Is this a field in the code somewhere or on the website itself? Let me know and I'll update.

I'm not using their party files so bullet point #2 doesn't apply. I don't include a license file, point #3 doesn't apply.

avpaderno’s picture

Hello, cafa.
Just write the updated, expanded motivation in a comment here.

cafa’s picture

Motivation statement:

This module blocks URLs form accessing content using the "node/number" form of the Drupal URL, example.com/node/123, example.com/?q=node/123, example.com/index.php?q=node/123, forcing a user to use a node's alias instead.

Without this functionality it is impossible to hide certain content behind secretive node aliases when a competitor or anyone can scan the entire site using node values, node/1, node/2, .... node/N. For small Drupal sites having a limited number of nodes, node scans are a concern.

A website owner needs content to be accessible by only the node-alias when they are distributing semi-published items using unique URLs (project-x/spec-12345) for things like specifications, data-sheets, press releases or other sensitive information.

This module is configurable by role, using Drupal permissions. A site's owner can apply blocking so it affects only the unauthenticated user but regular logged-in users are unaffected. The administrator account is never blocked.

The functionality this module provides is different than what the redirect modules do. When the redirect module gets a node/number URL, it looks up the alias and does a browser redirect to the new name; node scanning is still possible. This module blocks node/number to alias-name redirects.

cafa’s picture

Status: Needs work » Needs review
cafa’s picture

Is been almost a week since I've heard anything. Are you waiting for me to do something that I'm supposed to but I'm not doing it because I don't know what it is?

Let me know.

zzolo’s picture

Status: Needs review » Postponed

Hi. Please read all the following and the links provided as this is very important information about your CVS Application:

Drupal.org has moved from CVS to Git! This is a very significant change for the Drupal community and for your application. Please read the following documentation on how this affects and benefits you and the application process:
Migrating from CVS Applications to (Git) Full Project Applications

  • The status of this application will be put to "postponed" and by following the instructions in the above link, you will be able to reopen it.
  • Or if your application has been "needs work" for more than 5 weeks, your application will be marked as "closed (won't fix)". You can still reopen it, by reading the instructions above.
avpaderno’s picture

Issue summary: View changes
Status: Postponed » Closed (won't fix)

As per previous comment, I am setting this issue as Won't fix.
Since new users can now create full projects, applications have a different purpose and they are handled on a different issue queue. See Apply for permission to opt into security advisory coverage for more information.