Sites With Exclusive Page Routes Still Load Other Sites’ Pages

[adamhann]

Description

Sites in Rock have a setting labeled “Enable Exclusive Routes”. Both the Rock Documentation and the tooltip on the setting indicate that this option will prevent this site from loading other sites’ pages, and also prevent other sites from loading this site’s pages (unless the route is marked IsGlobal)

In Rock version 11.1 and earlier, we’ve confirmed that the routes worked as documented. But in versions 11.2 and later, enabling this setting does not prevent other sites’ page routes from being loaded using this site’s domain.

This may have changed in response to #4346 in order to allow system dialogues (Zone Blocks, Child Pages, etc) to be loaded from the external site with exclusive routes enabled, even though the pages themselves belong to the internal site.

However, at least as of v16.2, these system dialogues are marked as Global Routes and so they should be able to load now, even if the external site is marked as “Enable Exclusive Routes”.

Actual Behavior

Actual Behavior

Since v11.2, assuming that you have two sites (sitea.rockrmsdemo.com and siteb.rockrmsdemo.com), here is what we found in testing (unexpected behavior is marked with a ⚠️):

	Neither site exclusive routes	Site A Exclusive, Site B not	Site B Exclusive, Site A not	Both Exclusive Routes
sitea.rockrmsdemo.com/siteapage	✅ 200	✅ 200	✅ 200	✅ 200
siteb.rockrmsdemo.com/siteapage	✅ 200	⛔ 404	⚠️ 200 (expected 404)	⛔ 404
sitea.rockrmsdemo.com/sitebpage	✅ 200	⚠️ 200 (expected 404)	⛔ 404	⛔ 404
siteb.rockrmsdemo.com/sitebpage	✅ 200	✅ 200	✅ 200	✅ 200

Expected Behavior

We expected that routes for a page within an “Exclusive Routes” site would not load other site’s pages:

	Neither site exclusive routes	Site A Exclusive, Site B not	Site B Exclusive, Site A not	Both Exclusive Routes
sitea.rockrmsdemo.com/siteapage	✅ 200	✅ 200	✅ 200	✅ 200
siteb.rockrmsdemo.com/siteapage	✅ 200	⛔ 404	⛔ 404	⛔ 404
sitea.rockrmsdemo.com/sitebpage	✅ 200	⛔ 404	⛔ 404	⛔ 404
siteb.rockrmsdemo.com/sitebpage	✅ 200	✅ 200	✅ 200	✅ 200

Steps to Reproduce

1. Create a new site “Site A” with a distinct domain like sitea.rockrmsdemo.com
   a. Assign this site to use the “Rock” theme so it’s visually identifiable.
   b. Create a page in that site with a route of siteapage.
   c. Add an HTML block to that page with content “Site A Page”.
2. Create a new site “Site B” with a distinct domain like siteb.rockrmsdemo.com
   a. Assign this site to use the “Stark” theme so it’s visually identifiable.
   b. Create a page in that site with a route of sitebpage.
   c. Add an HTML block to that page with content “Site B Page”.
3. Load every combination of those two domains and page routes per the tables above.
   a. Note that as expected, both pages are loadable from either domain, and show the theme/content according to the site they’re actually in, not necessarily the site whose domain was used.
4. Update Site A to enable Exclusive Routes, then repeat step 3. Note that Site B cannot load /siteapage (as expected), but Site A can load /sitebpage, contrary to the documentation.
5. Update Site A to disable Exclusive Routes and Update Site B to enable Exclusive Routes, then repeat step 3. Note that now Site A cannot load /sitebpage (as expected) but Site B can load /siteapage, contrary to the documentation.
6. Update Site A to enable Exclusive Routes again, then repeat step 3. Now that both sites have exclusive routes enabled, neither site can load the other site’s page.

Issue Confirmation

• Perform a search on the Github Issues to see if your bug or enhancement is already reported.
• Reproduced the problem on a fresh install or on the demo site.

Rock Version

v11.2 through v16.8, and PreAlpha 17.0.38

Client Culture Setting

EN-US