Concerns regarding safe mode

(Karl Romanowski) #1

I believe safe mode should be IP restricted.

For example, the overwatch forums redirect some built-in pages to a 404. Safe mode allows anyone to bypass that 404 and just see the page:

Site Statistics

All Time Last 7 Days Last 30 Days
Topics 60.8k 7.3k 29.7k
Posts 755k 97.6k 386k
Users 92.8k 4.3k 22.7k
Active Users 31.6k 56.7k
Likes 1.0M 117k 489k

I can also see the other pages they wanted to hide like /faq, /tos, and /privacy

Not a big deal because there’s no real security threat. But does entering safe mode disable Akismet as well?

(Rafael dos Santos Silva) #2

Nope, safe mode only disable client-side stuff like CSS/JS/HTML.

(Jeff Atwood) #3

Interesting, thanks for noting this and bringing it to our attention. Do you have any feelings on this @sam?

(Sam Saffron) #4

I think the issue here is that they did not disable stuff hard enough server side on said forum, if we feel like we do not want end users to get certain info we got to close the tap on the server side, a soft 404 on part of the endpoint may not be enough

(Jeff Atwood) #5

So then it is a call that @eviltrout needs to make?

(Robin Ward) #9

I think an option to disable safe mode is a good thing. I’ll look into it.

(Robin Ward) #12

In the latest version of Discourse you can disable safe mode via a site setting:

(Robin Ward) #13

Here’s a small change: staff members can always use safe mode, even if disabled. @sam suggested this and I think it’s a good idea.