I have searched for the solution of this question but I didn't get proper answer.
My website has articles that may have more than one authors. So, I added multiple Facebook Open Graph meta tags
<meta property="article:author" content="https://www.facebook.com/{author_name_1}" />
<meta property="article:author" content="https://www.facebook.com/{author_name_2}" />
After doing this, I shared the article on facebook, but it is showing only the name of the first author. I want to show the names of all the authors whose profile has been mentioned in the open graph meta tag. How to do that?
That is not possible.
By Facebook’s definition, one article has one author, not multiple.
Related
The id (PK) of a model/ DB can be passed to and used in the URL pattern. Everyone, including hackers, would be able to piece together some information about my DB from this and the actual data in the template.
My questions are kind of general at this point. I would just like to understand how the info above could be used to compromise the data. Or if someone could point me to some further reading about this topic I would appreciate it.
This is a general question as I am trying to gain more understanding into securing Django sites. I have read several articles but nothing's satisfied the question.
Code:
Where the href passes the blogs id to be used in url matching and ultimately pulling data from the DB in the views/ template:
<a href= "{% url 'details' blog.id %}">
and
urlpatterns = [
path('<int:blog_id>/', views.details, name = 'details'),
]
And the URL being:
domain/appname/blog_id/
TL;DR: Can you hack my site with the few pieces of information I am freely giving away concerning the backend?
First it depends on how your ids are generated. The default in Django is to use sequential numbers, which gives away the following (non-exhaustive) information:
Someone can easily try other ids to see what they get. If you haven't properly protected access to ids you don't want to show, someone might be able to see content they shouldn't see. Many information leaks were just due to this: Guess the URL et voilà! Something that was supposed to be published tomorrow is suddenly leaked today. The same applies for dates in the URL. Of course, if you have proper checks for who's allowed to view "draft" posts, there's no harm.
By trying all ids, you can find out numbers: maybe you don't want others to know how many products you have in your database because it's sensitive information. If I can just do /products/4924 to fetch info about product #4924, I can easily create a script to quickly increase the number until I get 404 Not Found, by which time I know there are 10252 products in your database.
If you have a form to make changes to an order and use the id in the URL to determine which order to change (never do just that by the way, make sure you check the order belongs to the user), someone could just pick different ids to mess up with other people's orders. That can happen easily with an UpdateView where you forget to check permissions.
Regarding the last one: I see plenty of posts here on SO where people show their UpdateView for changing user profiles and other really sensitive information. In most cases the pk is the URL parameter used to fetch the UserProfile. But I almost never see a decorator or mixin (PermissionRequiredMixin or UserPassesTestMixin) to check that the user is actually the one authorised to modify this object. I just pray it's left out for clarity sake :-)
On the other hand, in many case there's not much harm using ids. This site, StackOverflow uses a sequential id for the URL of a question/answer. Nothing serious can happen here if I randomly try other ids. And apparently they are happy to share how many questions and answers have been posted so far (57478609 when you posted this question).
TL;DR: Except giving the ability to visitors to "count" objects in your database, all other security issues with using sequential ids aren't real issues if you take care about your security. But by using random ids, e.g. uuids in your URLs (not necessarily replacing the pk in the db) you can reduce the risk if you forgot to secure something where people can guess ids (or your intern forgot and it got passed your code review and unit tests somehow).
You asked a general question, and the general answer would be: "It depends"
TL;DR: Can you hack my site with the few pieces of information I am freely giving away concerning the backend?
This question is broad. You could hack a site with a toothpick if you annoy the site owner by poking them with it until they give you the password.
Instead I'll assume you asked the titular question:
Q: Are PKs in URLs a security concern?
A: They can be.
In your example you mention blog posts- so lets assume your site has plenty of users all writing blog posts. Now you add the ability for a User to set their latest blog entry to "private". Blog posts marked private only show up on the dashboard for the user that wrote them, and don't show up on everyone else's blog feeds e.g:
{% for article in articles if not article.private %}
... <article feed stuff here>
{% endif %}
Great!
However, one of your users posts a private article and looks at the address bar which shows https://myblog.blog/articles/42 and then at a previous article they wrote yesterday which is https://myblog.blog/articles/37 and deduces that the ID's are sequential. On a whim they type into the address bar https://myblog.blog/articles/41 and oh dear, now they're looking at an article that someone else posted that for the sake of argument we'll say was also set to private.
Because we had no check in place to make sure that the user looking at the (private) blog post was permitted to do so we exposed someones private information. Which is bad enough for blog posts but a very expensive disaster for e.g. bank accounts (there are plenty of examples of major banks slipping up on this particular issue)
Django has a robust system for dealing with this sort of thing: https://docs.djangoproject.com/en/2.2/topics/auth/default/#limiting-access-to-logged-in-users-that-pass-a-test
The argument can still be made that as well as permissions checks, good practice would be to use UUIDs (or short UUIDs) for the id "slugs" in the URLs of any objects that you would rather weren't guessable.
Also, not security related but on the subject of URLs for public articles and blog posts you may find this interesting: https://wellfire.co/learn/fast-and-beautiful-urls-with-django/
I am working on applying the Helix Design Principles in an existing Sitecore project. One thing that I haven't been able to understand was the Metadata Feature.
I used Sitecore Habitat and searching through Google as a reference but haven't been able to understand it there as well. I haven't been able to find a detailed resource/documentation to learn more about what it does, how it works and how I would implement it to a currently existing project.
I'm sure this is a really broad question but any help would be appreciated.
Metadata will add tags to your page header section
ex
<title>site name</title>
<meta name="description" content="Description"/>
this will help you with seo
to implement it you need to add PageMetadata to your page base template and siteMetadata to your site base template, and add PageMetadata view to placeholder in your layout header tag
In the API result (http://developers.facebook.com/docs/reference/fql/link_stat/) there are two counts about comments:
comment_count: The number of comments users have made on the shared story
commentsbox_count: The number of comments from a comments box on this URL. This only includes top level comments, not replies
What is the difference? Does the comment_count include the commentsbox_count?
They are quite different from each other.
comment_count refers to the number of comments made inside Facebook on a shared story, where as commentsbox_count refers to the comments made on the external site via the comments plugin. Sites can use the comments plugin to easily put up a comment box on their website without having to implement it themselves. The commentsbox_count can be queried to get the # of comments left on each URL there.
I've recently added some Facebook content to my webpage, enabling the "like" and "send" buttons, found here: http://developers.facebook.com/docs/reference/plugins/like/, to my webpage.I find when I 'like' my webpage, and the status appears on my Facebook wall, the description shown under the link-title does not match what my meta-tags are described as. Where is this description coming from? Is there a way to change it?I've added and changed several styles of meta tags (meta title, meta name, meta description, etc). Nothing seems to change this description. I've also cleaned my Safari caché after testing new content, with no more luck.I know I'm looking right at the problem.
If you look at the link's source code, you can see there is no indication of this description.
Please ask me for the website address if necessary.
Please help? Thanks.
This answer comes a little late but Facebook caches all pages internally. The easiest way for facebook to read your tags is to scrape the website by going to http://developers.facebook.com/tools/debug and entering the URL of your website. This will fix the issue.
What you need to do is place the correct og:tags into your page...This link will tell you what tags to place on your page according to the content you have. There is also the facebook url linter that you can use to test your og:tags...
Hope this helps!
Good luck!
I'm a bit unclear about what exactly your problem is, but on http://developers.facebook.com/docs/reference/plugins/like/ Step 2 - Get Open Graph Tags, it will generate the appropriate meta tags with the correct syntax. If the problem isn't fixed with that method, I would suggest looking into the PHP Facebook API because I had a lot of problems that I was frankly too lazy to figure out with the JavaScript Facebook stuff that I could easily correct and design with the PHP version. Hopefully this at least points you in the right direction. Maybe some code too, ya?
EDIT: By the way, the generated meta tags look something along these lines:
<meta property="og:title" content="" />
<meta property="og:type" content="" />
<meta property="og:site_name" content="" />
<meta property="fb:admins" content="" />
etc.
EDIT 2: It just occurred to me as well that, if you have a Facebook Page, the information will be pulled from there. However, if you don't and are trying to use a link to a website, you can/should make a Facebook App for Webpages that will allow you to customize the description, title, etc. and all that other jazz you're probably having troubles with.
I'm a pretty experienced Grails developer, but most of my experience has been with using grails for serving up JSON/XML to a flex app and some relatively simple HTML websites.
I've been diving deeper into using the sitemesh integration in grails and I'm struggling a little to find best practices for some more complex configurations, and I'm curious if there are any good tutorials or examples out there. The original Sitemesh website isn't that useful as the tags it talks about aren't directly exposed in grails.
A google search is mostly showing old mailing list posts and some vanilla sitemesh stuff which is helping me to move a little further along, but it's a lot of trial and error.
I fully understand how the basic g:layoutTitle, g:layoutHead, and g:layoutBody tags work. Those are easy and well documented.
The kinds of things that I'd like to see examples for:
g:applyLayout - the documentation on this is weak and I don't fully understand the uses suggested in the main docs. How is this different than setting the meta name='layout' content='foo' property?
g:pageProperty - some better examples on how to pull and use properties into the main template by setting the values as meta tags in the page that's being decorated. The grails docs on pageProperty show only the onload attribute from the body being brought forward. I think you can also use meta tag values here as well, anything else?
can you use multiple levels of sitemesh layouts? My testing seems to make me think that I can't, but that seems to reduce reusability. I think that the answer here is some usage of the g:applyLayout, but that's where I'm struggling the most.
the g:pageProperty is a very powerful, but very poorly documented thing. Lets say in my layout I specify where to put some content like this:
<html>
<body>
<g:pageProperty name="page.header" />
</body>
Now in my page I can specify some content:
<content tag="header">
<!-- header -->
</content>
Sitemesh will take the content tag, regardless of actual position in the HTML of the page and place it where it needs to go in the flow of the layout.
Even better, if within my page I render a template that also specifies a content area with a tag of "header", it will overwrite the first declaration, and it will be the template's content that will be rendered in the final layout.
Well, I can answer a bit:
Your first and third questions are related, as you can't chain layouts using the meta tag.
Your final page should have a meta tag as you suggest, but if you want to layer a layout on top of another layout, you put a g:applyLayout tag at the top of the child layout, pointing at the parent.
In your edit.gsp, you'd have:
<meta name="layout" content="editTemplate" />
and in editTemplate.gsp, you'd have:
<g:applyLayout name="baseTemplate" >
<!-- the html for the editTemplate -->
</g:applyLayout>
so edit.gsp would use editTemplate.gsp, which would use baseTemplate.gsp as a base layout. You can chain those as needed.
I haven't used g:pageProperty at all, so I can't throw you better examples there, sorry.
The Sitemesh together with Grails is a very very powerful feature. The more I use it - the more I love it. You can decorate any part of our web site: you can have layout for error messages, tooltips, news lines, comments, etc, etc. Just to note that you can do even that with in your pages and have multiple levels of decoration (no <content> needed):
/view/layout/inline-error-message.gsp
<span class="errorMessageInSomeFancyBox">
<span class="errorIcon"></span>
<g:layoutBody />
<span>
/views/book/create.gsp
<%-- let's decorate our error message with some fancy box --%>
<g:applyLayout name="inline-error-message">${some.error.message}</g:applyLayout>
See our Rabbtor Showcase App for a few very good examples on
creating nested layouts
rendering templates
applying layouts to specific parts of a page
. This app is actually a showcase for our tool Rabbtor which enables using GSP outside Grails but parts related with Sitmesh are also valid for Grails.