We have moved to GitHub Issues
Created by Sebastiaan Janssen 16 Aug 2012, 18:02:52 Updated by Sebastiaan Janssen 17 Mar 2015, 14:17:55
Relates to: U4-2649
?alttemplate (and the newer syntax) should only allow use of the document types list of templates.
Consider the following senario:
Website with both public area and a protected area with extranet functionality. One of the Extranet features is Export Members to CSV file .. this would most likely be implemented as a template with 2 macros: changecontenttype and a custom xslt that renders member data. One of the pages in the Extranet uses this template. As the page is protected this is fine.
As it is now - this templated could be used as an alttemplate on any page.
Today this can be prevented by implementing some logic in the macro but it should be handled by Umbraco.
For backwards compatibility it should be an option in umbracosettings.
''Originally created on CodePlex by [jesperordrup|http://www.codeplex.com/site/users/view/jesperordrup]'' on 9/19/2008 1:54:42 PM [Codeplex ID: 18565 - Codeplex Votes: 14]
To anyone watching this issue: so what do we want? An option to limit the altTemplate value to those templates that have been actually listed on the document type? But, is it the same list? Ie we have some "ajax" alt. templates that we do not want our users to see when they manage content, so we do not want them in the "possible templates" list. Thoughts?
I personally think that if a content editor sees an ajax template in the list that it's not the end of the world. If they did select it - and not sure why they would - then the page will "break" so you would hope that they would realise.
Or alternatively could we have a flag on the template which states whether it is available to content editors?
Create two lists: "Allowed Templates" and "Choosable Templates". When an item is selected in the former, it is automatically added to the later, but can then be removed from the later (e.g., for the AJAX templates you mention).
For us a simple solution would be to just add an Umbraco setting that disables the feature entirely, for both possible scenario`s (/templatename, /?altTemplate=templatename).
Because most people don't know about the feature they won't check if the current user is logged in or has enough rights as they think Umbraco will handle the authentication and validation of the user / roles (as defined in the backoffice).
As of 7.2.3 in umbracoSettings.config you can update it with:
<web.routing trySkipIisCustomErrors="false" internalRedirectPreservesTemplate="false" disableAlternativeTemplates="true">
With that set to true, neither way to access an alternative template will work any more.
Thanks, an excellent fix for our problems!
Does that setting disable alternative templates entirely (rather than selectively)? What if we just want to disallow the use of templates that aren't on the "allowed templates" list as an alternate template for a given content type? Maybe that already happens (IMO that should be the default behavior).
Is there a way to keep alt templates enabled with the altTemplate querystring? It's much more likely that someone tries to visit /contact/content than /contact/?alttemplate=content. So only disable it as an url segment.
It disables alt templates completely.
Please create new feature requests for both scenarios (hint: this is not high priority so unless there's some cool pull requests attached, those features will take a while to be implemented).
@jbreuer I don't see that scenario as very much more likely. And what would be the negative consequence of that? Maybe somebody sees an ugly page? I'd be more worried about somebody (say, a hacker or competitor) causing problems by using templates against pages that aren't supposed to be able to use them. IMO it wouldn't be worth the added complexity to selectively restrict based on type of URL format used to choose an alternate template (though, I still believe selectively restricting alternate templates by allowed templates is still ideal).
I agree, @jbreuer's scenario is really unlikely and I don't see why you'd want to allow one way and not the other way. That's overkill configuration that'll likely never make it into the core.
@Knickerbocker We've had a situation where somehow /contact/content was visited a lot and instead of a 404 it showed an error because that template had the wrong model. People won't visit /contact/?alttemplate=content. We couldn't disable alt templates because is was used at other places.
@jbreuer I recommend a URL rewrite rule then. Very rare problem to have.
Come to think of it, you already have the option you want! Just remove
<notFound assembly="umbraco" type="SearchForTemplate"/> from 404handlers.config. The altTemplate querystring will still work.
Type: Feature (request)
Backwards Compatible: True
Due in version: 7.2.3