Hidden nodes leak through JSON:API

Created on 20 June 2022, over 2 years ago

Updated 10 January 2024, 11 months ago

Problem/Motivation

This module can be used to "hide" node, so they can be used for internal purpose only.

The issue is that the "hidden" nodes and their content are revealed by the JSON:API, making them appear just like any other nodes.

Steps to reproduce

1. Create an article with rabbit hole settings:
Behaviour: Page not found

2. Visit the URL:
http://localhost/jsonapi/node/article

Proposed resolution

Hide "Page not found", "Access denied" and "Page redirect" from the JSON:API

Note

I don't think this is a serious security issue since, in most case, the content of the hidden nodes is displayed elsewhere, so no critical information is leaked. But it's not obvious that the information leaks, so a user may think that his nodes are truly hidden.

✨ Feature request

Status

Active

Component

Code

Created by

🇦🇺Australia gaellafond

Live updates comments and jobs are added and updated live.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment 11 months ago →
🇺🇸United States dgroene
I think this behavior in may cases is preferred. Often, content intended to be consumed through jsonapi only does not have a front-end template, so you would want to hide the node page without restricting the content from being part of jsonapi calls.
Jsonapi extras allows you to block resources and fields, though not on a node-by-node basis. If this functionality is added to rabit hole, I think it should be an independent selection so that you can maintain different behavior for the front-end template vs. the jsonapi representation.
Comment 11 months ago →
🇺🇸United States dgroene

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024