U4-274 - Feature Request: Limit alternate template use

Created by Sebastiaan Janssen 16 Aug 2012, 18:02:52 Updated by Sebastiaan Janssen 17 Mar 2015, 14:17:55

Relates to: U4-2649

?alttemplate (and the newer syntax) should only allow use of the document types list of templates.

Consider the following senario:

Website with both public area and a protected area with extranet functionality. One of the Extranet features is Export Members to CSV file .. this would most likely be implemented as a template with 2 macros: changecontenttype and a custom xslt that renders member data. One of the pages in the Extranet uses this template. As the page is protected this is fine.

As it is now - this templated could be used as an alttemplate on any page.

Today this can be prevented by implementing some logic in the macro but it should be handled by Umbraco.

For backwards compatibility it should be an option in umbracosettings.

Kindly, J

''Originally created on CodePlex by [jesperordrup|http://www.codeplex.com/site/users/view/jesperordrup]'' on 9/19/2008 1:54:42 PM [Codeplex ID: 18565 - Codeplex Votes: 14]

Imported comments

''Comment by [drobar|http://www.codeplex.com/site/users/view/drobar] on 9/19/2008 5:38:50 PM:'' I love this idea! A nice protection for my ShareContent system as well.

''Comment by [Adz|http://www.codeplex.com/site/users/view/Adz] on 10/13/2008 6:57:38 PM:'' I actually find this 'feature' of altTemplate useful, so should definitely be backwards compatible!

''Comment by [daniel_l|http://www.codeplex.com/site/users/view/daniel_l] on 4/29/2009 12:25:19 AM:'' I recognise the scenario described by the original poster very well. This is a major security flaw!

Comments

Stephan 18 Feb 2013, 09:18:43

To anyone watching this issue: so what do we want? An option to limit the altTemplate value to those templates that have been actually listed on the document type? But, is it the same list? Ie we have some "ajax" alt. templates that we do not want our users to see when they manage content, so we do not want them in the "possible templates" list. Thoughts?


John Carpenter 18 Feb 2013, 09:40:59

I personally think that if a content editor sees an ajax template in the list that it's not the end of the world. If they did select it - and not sure why they would - then the page will "break" so you would hope that they would realise.

Or alternatively could we have a flag on the template which states whether it is available to content editors?


Nicholas Westby 20 Feb 2013, 18:27:14

Create two lists: "Allowed Templates" and "Choosable Templates". When an item is selected in the former, it is automatically added to the later, but can then be removed from the later (e.g., for the AJAX templates you mention).


Timo 12 Mar 2015, 13:09:29

For us a simple solution would be to just add an Umbraco setting that disables the feature entirely, for both possible scenario`s (/templatename, /?altTemplate=templatename).

Because most people don't know about the feature they won't check if the current user is logged in or has enough rights as they think Umbraco will handle the authentication and validation of the user / roles (as defined in the backoffice).


Sebastiaan Janssen 17 Mar 2015, 13:45:58

Fixed in: https://github.com/umbraco/Umbraco-CMS/commit/6856f9f3416b9fe2725f6758f5ecf902f5eb2dfd

As of 7.2.3 in umbracoSettings.config you can update it with:

<web.routing trySkipIisCustomErrors="false" internalRedirectPreservesTemplate="false" disableAlternativeTemplates="true">

With that set to true, neither way to access an alternative template will work any more.


Daniël Knippers 17 Mar 2015, 13:48:14

Great!


Timo 17 Mar 2015, 13:51:50

Thanks, an excellent fix for our problems!


Nicholas Westby 17 Mar 2015, 13:59:30

Does that setting disable alternative templates entirely (rather than selectively)? What if we just want to disallow the use of templates that aren't on the "allowed templates" list as an alternate template for a given content type? Maybe that already happens (IMO that should be the default behavior).


Jeroen Breuer 17 Mar 2015, 14:00:54

Is there a way to keep alt templates enabled with the altTemplate querystring? It's much more likely that someone tries to visit /contact/content than /contact/?alttemplate=content. So only disable it as an url segment.


Sebastiaan Janssen 17 Mar 2015, 14:07:40

It disables alt templates completely.

Please create new feature requests for both scenarios (hint: this is not high priority so unless there's some cool pull requests attached, those features will take a while to be implemented).


Nicholas Westby 17 Mar 2015, 14:08:13

@jbreuer I don't see that scenario as very much more likely. And what would be the negative consequence of that? Maybe somebody sees an ugly page? I'd be more worried about somebody (say, a hacker or competitor) causing problems by using templates against pages that aren't supposed to be able to use them. IMO it wouldn't be worth the added complexity to selectively restrict based on type of URL format used to choose an alternate template (though, I still believe selectively restricting alternate templates by allowed templates is still ideal).


Sebastiaan Janssen 17 Mar 2015, 14:09:18

I agree, @jbreuer's scenario is really unlikely and I don't see why you'd want to allow one way and not the other way. That's overkill configuration that'll likely never make it into the core.


Jeroen Breuer 17 Mar 2015, 14:13:16

@Knickerbocker We've had a situation where somehow /contact/content was visited a lot and instead of a 404 it showed an error because that template had the wrong model. People won't visit /contact/?alttemplate=content. We couldn't disable alt templates because is was used at other places.


Sebastiaan Janssen 17 Mar 2015, 14:15:18

@jbreuer I recommend a URL rewrite rule then. Very rare problem to have.


Sebastiaan Janssen 17 Mar 2015, 14:17:17

Come to think of it, you already have the option you want! Just remove <notFound assembly="umbraco" type="SearchForTemplate"/> from 404handlers.config. The altTemplate querystring will still work.


Priority: Normal

Type: Feature (request)

State: Fixed

Assignee:

Difficulty: Normal

Category:

Backwards Compatible: True

Fix Submitted:

Affected versions:

Due in version: 7.2.3

Sprint:

Story Points:

Cycle: