[typo] typo admin shows up on google.

Scott Laird scott at sigkill.org
Thu Jul 28 20:46:20 EDT 2005


On Jul 28, 2005, at 5:33 PM, Trejkaz wrote:
> I guess the only benefit of doing it this way is that the page is  
> the same for
> all users (so the cache can be used for the admin users as well.)   
> But in
> reality, the admin users are the tiny minority, so caching wouldn't  
> really help
> that much.
>
> I agree... it should work server-side so that admin elements are  
> only put in the
> HTML if the user is an admin in the first place.  It doesn't  
> actually seem
> useful to have an "is_admin" cookie when the server already knows  
> the user is
> an admin.
>
> To divert a bit, I also think that this show/hide script is  
> something which CSS
> can do...
>
>    #admin_article { display: none; }
>    div.post:hover #admin_article { display: block; /* or whatever */ }
>
> ...but I understand that when you have a hammer (JavaScript),  
> everything starts
> to look like a nail. :-)

Not exactly.  The problem is that once we cache a page, Apache never  
calls us again for that page[1].  We can't check for admin status  
because we don't even run--Apache (or whoever) serves the static HTML  
directly to the client.  If we want to do the admin check on the  
server end then we have to completely stop using Rails's page cache,  
and that's a massive performance hit for all users, not just admins.

Putting the admin URL in the page and doing the admin check on the  
client side seems like a low-cost way around this.  The admin URL  
isn't leaking any information--all Typo blogs put it in the same  
place, and the article ID shows up other places in the same file.   
The admin pages need a login to work, so there's really no security  
issue.


Scott

[1] Until it's swept from the cache due to some other action, that is.


More information about the Typo-list mailing list