Default Plone behavior is to display login box when the user tries to access content for which he or she does not have permission.
How to change this behavior so that instead and Unauthorized page is displayed? How to customize this unauthorized page to have custom texts. etc?
PAS responds to a 401 Unauthorized error by invoking any challenge plugins, so to avoid the login form deactivate these plugins in acl_users.
A 403 Forbidden should not result in a challenge. However in production mode (but not debug mode) these errors are hidden and they are transformed into 404 Not Found.
Customize this template: Products.CMFPlone/Products/CMFPlone/skins/plone_login/require_login.py, either via "old style" skin customization or "new style" jbot customization: http://pypi.python.org/pypi/z3c.jbot (see CMF Objects section)
FYI, there's now also a PAS plugin that only redirects to login form if the UA is a browser:
https://pypi.python.org/pypi/koodaamo.pas.browseronlyredirect/
Related
Trying to test some content creation test using cypress on Drupal 8 site, however having trouble logging in programatically as recommended on Cypress's doc
(https://docs.cypress.io/guides/getting-started/testing-your-app.html#Logging-in)
Followed the steps on this site (https://sevaa.com/blog/2018/10/end-to-end-testing-with-drupal-and-cypress/), but when I ran cy.login(username, pwd)(I'm using actual value, not undefined variable...), always get 403 forbidden error.
Also, while I'm able to login using UI and I can navigate admin section of Drupal by clicking on links, but soon as I use cy.visit('/admin/content') I get 403 error...
Has anyone successfully bypass this 403 errors by logging in programatically?
And if so, how did you manage to do so?
I'd recommend installing Cypress-drupal node package. After that you can login with simple cy.drupalLogin('admin', 'admin') command.
I am working on project in which we are using Google OAuth API to signup and login users to ower application.
The project is based on angularjs and asp.net.
The login process works fine when html5mode is not enabled, but for SEO reasons we are required to remove the hash (#) from the url using :
$locationProvider.html5Mode(true);
in this case the response received after the authentication is always in the form
http://site/#access_token=...
and for the route configuration in angular we are using
$routeProvider.when('/access_token=:accessToken', {
templateUrl: '/app/identification/identification.html',
controller: 'identificationGoogle'
});
the problem is when html5 mode is enabled, after the redirection is done, the associated controller is never activated even if the browser window url is in the previous form.
it does not work until you refresh the page.
so is there any solution to this problem to avoid the need to reload the page.
the angular version used is : 1.3.15.
I found the solution.
the solution was by adding the base tag which is required for angular when using html5 mode
<base href="/">
and changing the redirect_uri in the key configuration on Google's Developer Console to
http://site/
instead of
http://site/index.cshtml
the problem happened because the redirect url was not the same as the base url.
so when the redirect is done to the old url, this later didnt match the base url and so angular's routing didnt work.
in this case the browser is automatically redirected to
http://site/#access_token=...
so after the page is reloaded explicitly, the base url and the loaded url are a match in this case, so the routing works fine.
Every new plone site as a /contact-info/ url with a generic email form on it.
Spambots can easily find this and use it spam the webmaster with malicious emails (specifically note that the 'subject' can be set in the email).
This old thread http://plone.293351.n2.nabble.com/modify-or-disable-site-contact-form-td7258555.html suggests that you can simply update the template so it is an empty page. However, this is not enough to prevent spam.
wget http://localhost:8080/contact-info --post-data "sender_fullname=d&sender_from_address=doug#localhost.com&subject=d&message=d&form.submitted=1"
Will still send email on the form handler.
How do you completely disable this form handler?
edit: I see you can modify the form handler script at:
/portal_skins/plone_form_scripts/send_feedback_site/manage_main
/portal_skins/custom/contact-info
To generate a custom handler script and replace the default actions. However, this doesn't really remove the page, it just makes it do nothing.
What you must customize is not the template but the end point the send_feedback_site script.
Replace the whole script code with:
from zExceptions import NotFound
raise NotFound()
Or probably Unauthorized is better.
If you are running nginx or apache in front of your Plone site you could write a redirect rule for that URL. This could then be added to your 'standard' buildout so that it always is there for new sites.
This is more of a HTTP spec question than a Sitecore question.
I have a 404 error page set up in Sitecore:
<setting name="ItemNotFoundUrl" value="/404.aspx" />
So, when a user accesses a non-existent page (e.g. www.example.com/xyz) they get redirected to my custom 404 page (e.g. www.example.com/404.aspx).
Sitecore performs the redirect using a 302 as seen in the Firebug screenshot below:
Is this a problem? i.e. will Google and other search engines index my 404 page at the URL www.example.com/xyz? The site in question was originally set up to return "200 OK" responses from the 404 page (bad!) and so search engines have been indexing the sites 404 page whenever they've found a broken link into the site.
I'd assume that since 302 is just a redirect, the status code at the final (custom 404) URL will be what any client is supposed to assume applies to the initial (redirecting) URL.
If this isn't a problem, what's the canonical spec / documentation that makes that clear?
As well as what Ruud has suggested, there was a blog post by Kern Herskind that uses a Sitecore/IIS approach without having to write any additional code.
As already mentioned correct http response headers are vital, not only for SEO but many other use cases.
There's a Sitecore Shared Source module called "Sitecore Error Manager" which makes your Sitecore installation respond with the correct 404 header and comes with a couple of other features like configuring any other error response, even for the Sitecore media library (i.e. pdf files), multilanguage support etc.
Sitecore Marketplace: http://marketplace.sitecore.net/en/Modules/Sitecore_Error_Manager.aspx
Github: https://github.com/unic/SitecoreErrorManager
That is a problem indeed. Because google will now think the 404.aspx page does not exist and will think the non-existing item is temporarily redirected.
I came up with a solution for this and blogged about it here.
What it does basically is determine that the item is non-existing (through a pipeline processor), then retrieve the contents of the 404 page by requesting it using a WebRequest and return that contents to the browser with a 404 status code.
I have created a entry page and created fields for all those. Now am trying to entered fields into my database.
My values are save in database but after saving my CRM page shows error like
500 - Internal server error. There is a problem with the resource you are looking for, and it cannot be displayed.
I think this error may be because of not enabling parent path and authentication rights in IIS.
I enabled the allow parent path in IIs->ASP,iis->Asp->debugging properties->send errors to browser->true
How to resolve this error?
I figured out that in IIS7.
I had to go to the site in question, to 'Error Pages' --> "Edit Feature Settings" and select "Detailed errors". It's a little dialog box that pops up with three radio buttons.
This fixed it for me. Simply setting "Send Errors To Browser" to true, did not do the trick.
Hope this helps someone.