I believe safe mode should be IP restricted.
For example, the overwatch forums redirect some built-in pages to a 404. Safe mode allows anyone to bypass that 404 and just see the page:
Site Statistics
All Time
Last 7 Days
Last 30 Days
Topics
60.8k
7.3k
29.7k
Posts
755k
97.6k
386k
Users
92.8k
4.3k
22.7k
Active Users
—
31.6k
56.7k
Likes
1.0M
117k
489k
I can also see the other pages they wanted to hide like /faq, /tos, and /privacy
Not a big deal because there’s no real security threat. But does entering safe mode disable Akismet as well?
7 إعجابات
Falco
20 أبريل 2018، 3:37م
2
Nope, safe mode only disable client-side stuff like CSS/JS/HTML.
4 إعجابات
Interesting, thanks for noting this and bringing it to our attention. Do you have any feelings on this @sam ?
إعجاب واحد (1)
sam
21 أبريل 2018، 12:14ص
4
I think the issue here is that they did not disable stuff hard enough server side on said forum, if we feel like we do not want end users to get certain info we got to close the tap on the server side, a soft 404 on part of the endpoint may not be enough
3 إعجابات
So then it is a call that @eviltrout needs to make?
3 إعجابات
eviltrout
23 أبريل 2018، 1:48م
9
I think an option to disable safe mode is a good thing. I’ll look into it.
3 إعجابات
eviltrout
24 أبريل 2018، 6:10م
12
8 إعجابات
eviltrout
25 أبريل 2018، 3:52م
13
Here’s a small change: staff members can always use safe mode, even if disabled. @sam suggested this and I think it’s a good idea.
https://github.com/discourse/discourse/commit/a5172a37e0bf2089300783d95f61380e22552120
18 إعجابًا