all theme folder content is accessible to every orchard site?

Topics: General
Aug 23, 2011 at 5:24 AM

Just wondering if i am missing something - right now it looks like any orchard site in a multi-tenant site has access to everything in the /Themes/ folder. Is that correct? If so, wouldn't it make sense to limit it so it just has access to it's current theme folder?

e.g. instead of accessing images through /Theme/MyTheme/Content/Images i would instead access it through /Content/Images and orchard would automatically know to look in /Theme/CurrentActiveTheme/ for those folders

If orchard is not currently set up to do this, should i update this ticket or should i create a new one suggesting this?


Aug 23, 2011 at 6:30 AM

That's correct: each tenant has access to all the available themes and everything that's underneath. I don't see how what you are proposing could work, how it would help or what exactly the problem is. It seems like you really want to restrict each tenant to one specific theme, which seems to be a different problem. Images are served by IIS directly, also.

Aug 23, 2011 at 6:52 AM

This isn't super important, since even if this were implemented, they could still access the individual elements through an http request. It just seems cleaner and a little more secure to me if each website did not have direct access to the content contained in other sites. Maybe some of the content contained in site A's folders is only supposed to be accessible after someone has authenticated themselves. Site B can come along and display everything on a public page. 

I just picture a true multi-tenant orchard install to treat each tenant like a tenant in an apartment - i can only access what it's in my apartment, not what's in someone else's apartment. I just assumed there'd be a folder, like the app_data\sites\ folder that would belong to each site and only that site.

As to how it could work - couldn't IIS restrict access to all the content under a specific folder except for the one folder that's owned by that particular site based on the domain?

Maybe this might not be worth doing though since i guess no one else has asked about it. it just seems cleaner and neater to me if each tenant were restricted to their own content.

Aug 23, 2011 at 7:01 AM

Technically it's not the content of other sites. The themes and modules are common to all tenants, although I do understand that oftentimes there is a theme that is dedicated to a tenant. If you want appartments, you need to put the tenant in different app domains. The media folder should be properly limited in scope to the current tenant if I'm not mistaken (that is content). I do not know if IIS could do what you are describing. At least not without custom modules.