[typo] typo admin shows up on google.

Trejkaz trejkaz at trypticon.org
Thu Jul 28 21:32:36 EDT 2005

Quoting Scott Laird <scott at sigkill.org>:
> Not exactly.  The problem is that once we cache a page, Apache never  
> calls us again for that page[1].  We can't check for admin status  
> because we don't even run--Apache (or whoever) serves the static HTML 
>  directly to the client.

OK.  I was under the impression that the cache was implemented on the Rails
side, in the same fashion that people write page caches in Java on the Servlet

> If we want to do the admin check on the server end then we have to completely
> stop using Rails's page cache, and that's a massive performance hit for all
> users, not just admins.

Actually, I'm starting to wonder why Apache doesn't do this caching instead of
needing to implement it manually on the Rails side.  Really, a webapp should
only have to put the right cache headers on the pages it returns, and 
the thing
serving that page should be the one to decide how it's cached.  Otherwise
everyone implements it separately (which is what we're witnessing here.) :-/

I guess a lot of people throw a Squid in front of their server for 
exactly that
reason, though... so that they can get caching on anything without writing any

> Putting the admin URL in the page and doing the admin check on the  
> client side seems like a low-cost way around this.  The admin URL  
> isn't leaking any information--

--except the fact that there is an admin interface at all.

Good security practice is to not show things that users don't need to 
know, and
good bandwidth-saving practice for is to not serve things that users 
will never
get to see.

I suppose if the admin markup were served using AJAX calls which were 
only for admins, that would solve both issues.


This message was sent using IMP, the Internet Messaging Program.

More information about the Typo-list mailing list