Context Navigation

← Previous Ticket
Next Ticket →

We have moved to Github. Please open tickets there.

#3947 closed Defect (fixed)

External pages not viewable for logged-out visitors with Walled-garden option enabled

Reported by:	iionly	Owned by:	sembrestels
Priority:	normal	Milestone:	Elgg 1.8.1
Component:	External Pages	Version:	1.8
Severity:	minor	Keywords:	walled-garden, external pages
Cc:	brett@…, dhrup2000@…	Difficulty:	moderate

Description

If the option "Restrict pages to logged-in users" is enabled, the external pages "About", "Terms" and "Privacy" can not be viewed when not logged in. The links to these pages are shown on the registration page, but clicking on a link only results in the error message "You need to be logged in...".

I believe, these pages should be viewable for logged-out visitors - maybe even more so on a walled-garden site before account registering - to allow for possible new members to read about the terms and privacy policy of the site.

Change History (15)

comment:1 Changed 20 months ago by dhrup2000

Cc dhrup2000@… added

Verified the Code and the Database after creating/updating the pages Privacy, Terms, About for ExPages objects (XAMPP) -- entities' ACCESS ID are set to= "2" (Public).

Looks like ExPages access control works as intended / expected. All the three external Pages are viewable in testing here when logged out of 1.8.0.1.

comment:2 Changed 20 months ago by cash

This is about using the site pages with the walled garden.

Three options:

register the pages as public
offer it as an option per page or for all pages
change nothing and require that anyone wanting this implement through a plugin

comment:3 Changed 20 months ago by cash

Looking for input on this

comment:4 Changed 20 months ago by brettp

Public pages. The original purpose of the external pages plugin was to allow pages "external" to the network, so I think that's how most people expect them to work.

A long term improvement can be an offer the option on each page or all pages.

comment:5 Changed 20 months ago by cash

Difficulty set to trivial
Milestone changed from Needs Review to Elgg 1.8.1

I agree.

comment:6 Changed 20 months ago by iionly

As Brett said, the "external" indicates that the pages are accessible also from outside the network. Especially, pages like "About", "Terms" and "Privacy" are of interest for people prior joining the site also - maybe even more so on a walled garden site where no other "sample" pages are accessible.

May I ask if the walled garden mechanism in Elgg 1.8 is based on the Elgg access level system and allows public content to be viewed by non-members also? I wonder, because "public pages" are mentioned here in the context of the walled garden mechanism. I mainly use a walled garden plugin (loginrequired) in Elgg 1.7, because the default access level set for the site can be broken by users by setting "public" as access level for their content regardless of the default access level. If the walled garden mechanism in Elgg 1.8 would not shield public content from non-members, this would make using it rather pointless. I tried to figure out how the walled garden mechanism is implemented but haven't managed it yet. I also tried to code an Elgg 1.8 version of the loginrequired plugin but it seems not as simple as I thought at first. This plugin blocks access to all pages when not logged in with the exception of urls that are included in an allowed list (index page, register and lost password pages, external pages and /_css/css.php and /_css/js.php). I guess the css.php and js.php files are now the problem that block upgrading the plugin to Elgg 1.8.

comment:7 Changed 20 months ago by cash

https://github.com/Elgg/Elgg/blob/master/engine/classes/ElggSite.php#L391

There is a plugin hook for adding pages. And to answer your question directly, it does not use the access on content to determine what is exposed to the public. See https://github.com/Elgg/Elgg/blob/master/mod/uservalidationbyemail/start.php for an example of using the hook.

comment:8 Changed 20 months ago by cash

Difficulty changed from trivial to moderate

Huh...not trivial at all since it requires redoing the walled garden page (which needs its html/css rewritten.

comment:9 Changed 20 months ago by dhrup2000

The hook :-
elgg_register_plugin_hook_handler('public_pages', 'walled_garden', 'expages_public_pages');
-- does allow any plugin to declare 'logged-out pages'
( I posted some more code details @ http://community.elgg.org/pg/forum/topic/801224/privecy-policy/ )

Walled-garden now forces to the bare Login page (@Cash's HTML/CSS point above). (I also tested walled-garden + Glossy RJC's theme and the Login block doubled there).

The approach @FBFK took was to create Static HTML pages for most of Terms, Privacy, etc
and so thereby totally bypassing any access controls.

The ExPages Plugin is somewhat 'special' but 1/2-way. It's data is stored and controlled
by Elgg's security. The design 'philosophy' for ExPages maybe could do with a 're-hash' -- (1) Controlled Pages where Elgg comes into play or (2) 'UnControlled (static) Pages' outside Elgg's normal (walled) controls.

I've read thru the various code areas invoked for walled-garden and tho there's work to be done there - it is not so-o complicated. The design direction is the more important aspect to consider.

If I were to re-design / code 'ExPages' ('StaticPages'?) - I would remove the object storage for Terms, etc (as @FBFK) and write to Www.Domain.Com/Terms.html and so on - no more access controls and also allows HTML savvy Elggsters the opportunity to customize as they like without the need to be involved with the internals of accesses.