Possible Privacy Issue in Exponent

Thursday, October 17, 2013

We've recently discovered an anomaly which might result in a loss of Privacy on an Exponent site.  Users might assume that content (modules and/or items) placed on non-public pages or in hidden modules on a public page would have restricted access and only be available to logged in users with appropriate permissions (which only seems logical).  In other words, a basic assumption that any hidden/non-public content would NOT be available to search engines like Google, and any links to such content would be unreachable (would result in a 'Not Authorized' message).  THIS IS NOT THE CASE!

A fix to this anomaly will be included in the next release of Exponent, v2.2.3 which is due to be released publicly in a couple weeks (the pre-release code in the 'develop' branch of the GitHub repository already contains this fix).  In the meantime...if you discover 'private' information from your site has become available on a search site like Google, you may perform the following to remove it from the search engine.

  1. Simply removing the file/info from the site will NOT remove it from the search index for quite some time...aournd 90 days in some cases.  Search sites keep the summary and also a cached version of the page even after you remove it from the site.
  2. You MUST use the search engine's webmaster tools to request the url be removed, e.g. https://www.google.com/webmasters/tools which will likely take several hours to see the results.  You can find some other details about using search engine webmaster tools by visiting the Exponent SEO Blog.
  3. You must add the specific url to the site's 'robots.txt' file to keep it from being added back to the search index by adding a line such as:
    Disallow: /filedownload/downloadfile/fileid/4​

The upcoming fix and the other changes to the permission system in v2.2.3 (blog article) should prove to be some useful improvements.


'Non-Public Page' - By default, any page added to the page/menu hierarchy is visible in the site menu.  A 'non-public' page is created by un-checking the 'Public?' checkbox on the create/edit page form.  If the 'Public?' setting is turned off, the page (and all its child pages) will only be displayed/available in the menu, IF the user has been given permission to 'view' the page though user or group permissions.

'Hidden Module' - By default all modules placed on a Public page are visible to all users.  There may be an instance where you desire a portion of the page to be displayed for all users, and the remainder to only be visible to users with permission to 'view' the page.  In the 'Add Module' and module 'Configure Settings' form, checking off the 'Hide Module?' checkbox will hide that module on a public page except when a user has a 'view' permission for that page.  Placing a 'hidden module' on a 'non-public' page is redundant.

'Admin' users are automatically granted all permissions!