73 pointsSerious WPMU DEV-sterI'm new here
ajaxmac
Member
—
7th December 2011
Howdy,
Just came across an interesting issue between the Integrated Video Tutorials and the domain Mapping Plugin. I run http://Brellabee.com and part of the service is to use the WPMU Domain Mapping plugin. Subscribers who try to access their videos when logged in through their main domain are then denied access to the video tutorials in their Dashboard. Even though they are essentially a sub domain of an authorised URL in my account.
The former domain can access the videos, but the second cannot.
Can't the Video Tutorial plugin check for the domain mapping plugin (with a function_exists() call), then pass the sub domain for authentication, not the mapped domain?
The current situation will not scale to hundreds and thousands of users all mapping their domains to my service.
Just came across an interesting issue between the Integrated Video Tutorials and the domain Mapping Plugin. I run http://Brellabee.com and part of the service is to use the WPMU Domain Mapping plugin. Subscribers who try to access their videos when logged in through their main domain are then denied access to the video tutorials in their Dashboard. Even though they are essentially a sub domain of an authorised URL in my account.
The former domain can access the videos, but the second cannot.
Can't the Video Tutorial plugin check for the domain mapping plugin (with a function_exists() call), then pass the sub domain for authentication, not the mapped domain?
The current situation will not scale to hundreds and thousands of users all mapping their domains to my service.
Hmm, actually, this is an interesting case. The Integrated Video plugin's use is checked on a domain basis so I don't think it could work on domain mapped sites without those sites being registered separately.
you have to run admin area as original domain on a domain mapped site,
however, if you use Theme My Login, it will break and create a loop of login attempts. I also believe you may have issues with API keys for facebook publishing, but I cant recall testing it.
I suggest a global key that doesnt check on a domain level, as you guys sell Multisite plugins and admin videos. It is nonsensicle to have users using WHITE LABEL videos on their main install :)
(becuase clearly they dont need to know how to add things).
Take a book from gravity forms page, had a key to be added globally in wpconfig. If someone wanted to steal these videos, they could easily do so. Save as 30x AND improve load times to not have to connect to your server in admin panel.
So probably not a real value to restrict on domain.
If you insist on mapping the admin area of sites, then your only option is to put them on a front end static site somewhere, like a specific help site.
Our API validates on a per domain basis based on the browser referrer headers, it's the only way we can keep it from being shared or resold.
Why are you so concerned with them being shared or resold? It's not like these are super-secret proprietary videos. They're generic, white-label videos, largely influenced from another set of WP training videos.
The only reason I renewed my WPMUDev subscription was so that I could offer these training videos within my customer's dashboard as a value-add. Putting on a public site kind of defeats the purpose (at least for me). Please consider a way to integrate this plugin with domain mapping.
This is a big shame. This was also why I got the subscription. Having the admin panel on a subdomain cuases cookie issues for clients logging into their subdomains and then removing their custom address once they login will just cause even more confusion. Sounds like I need to make a core site and then iframe that site into a custom module just to show videos to my clients. Something I don't have time to do, which is why I wanted to buy the videos. Very disappointed.
I'm not even sure how to force the admin area to show up as the subdomain instead of the mapped domain, any suggestions on how to go about doing that since the videos can't pick up on the fact that they're all on the same domain?
@aecnu The videos do work from a subdmain dashboard. At least they do for me.
@nbostic If you login from the root site (id=1) and then click through to the Dashboard of a sub blog from the drop down from the admin bar under "My Sites" you will end with a Dashboard for a sub-site, and it will be the subdomain URL, not the mapped URL.
I originally started this thread because my setup uses Varnish Cache and the varnish cache purging plugin. The Varnish purge plugin is not domain mapping aware, and so if a user edits their site when they have logged in through the top level domain (and thus are viewing their Dashboard as a subdomain) the varnish cache plugin clears the subdomain URLs from cache, but not the mapped URLs. So I was encourage my clients to log in through their mapped domain directly - but then their support videos don't work.
My solution in this case is to get off my arse and edit the varnish cache plugin so that it becomes mapped domain aware and clears both the subdomain and the mapped domain for each purging action.
Aaron, doing that creates issues. If you're logged in at subdomain.maindomain.com and then go to mappeddomain.com it now looks like you're not logged in as as admin and there is no menu bar at the top.
It's not really an issue, just the way browsers work. This is how WP.com does domain mapping because it causes the least amount of issue overall cookie wise.
It's only an issue if one insists of using subdomains and mapped domains, just using the mapped domain across the board is what most of us here are doing and that's why we're having problems showing the whitelabel videos to the sites in the network. You're asking us to set ourselves up for other issues and change the look/feel of the mapped domain site URLs in order to use the videos.
At the very least there should be a disclaimer on the module page that says you'll have to force subdomains in the admin panel, or create a dedicated, one-brand site and direct everyone from the multiple branded sites there if you want to allow sites to access the videos.
I hate being that moaning person that complains because something didn't fit their exact needs, but I feel that this module isn't not working as many have expected and it isn't fully serving it's designed purpose when it says it is multisite ready.
It is on my todo list to see if there is any way to change the api around this. The api uses the referrer header for the iframe to validate, and that is done by user's browsers, not something that can be changed in code.
The only other technical way I can think is passing the API key in the iframe url, but then anyone could copy the visible embed code and stick it all over the web.
Any other ideas how it could be done yet maintain the needed protection?
Anyways to automatically add mapped network domains onto a whitelist? Even manually adding each of my URLs to a whitelist would be too much (we add 40-50 new sites a day) but something automated would work well.
Also I realize this isn't my personal module so my use-case of not adding the domain manually doesn't apply to everyone, so for the vast majority maybe allowing a manually whitelist of domains would work? However automating it to work only for mapped domains would make people's network admin areas a mess if they tried to validate 1000 random people as a way of distributing the videos, so that might be appealing to you.
I know you're a busy dev Aaron, so you may have forgotten that you said you'd make it possible to use our own video's about 3-4 months ago. When you do release that functionality it may help with these sort of requests.
Those who don't like the caveats of the hosted solution can choose to host their own videos from some a CDN or locally.
Secondary comment:
I'm also curious if the concern you have for people stealing the videos are "bandwidth stealing" or "intellectual property" related. In other words are you concerned that theses videos be used by non-paying members or that the bandwidth people would be stealing by embedding the videos all over the web.
Please note that I'm just curious and not trying to make a point in either case.
I ran into this issue also. Ripping streamed videos is VERY easy. I just noticed it when I was testing my Multi-site with Pro Sites that they all say "Not authorized by MPMU" or something to that effect. Locking the authorization into a single domain and having to manually add domains makes this plugin NOT "Multi-Site Ready." The videos are handy and give a quick start to adding your own help content. However, not quite the "goldmine" to protect so much that it debilitates the actual functionality of the plugin itself. As someone stated before: It's your product..do with it what you like. I am speaking as a customer and this is my personal opinion.
I just hit this issue too with a mapped domain. I guess I can crank out a page and make it public with all the videos embeded on my homepage. It's easier than explaining why a WPMU warning comes up.
I don't think this is up to the standards I've seen at WPMU.
@ren another glitch that was not panned for Hardly, this is the intended outcome to protect the videos and keep unauthorized people from eating up (stealing) WPMU Dev's bandwidth.
Well I understand both sides of the fence regarding this issue - On the WPMU Dev side if unprotected in some fashion I see literally hundreds and thousands of sites globally sucking up the bandwidth and bringing the server to a crawl as coders and web masters from all over the globe steal them from members or embed the code of the videos into their own web sites.
On the other hand web masters and members alike would like to have these videos in there multiple control panels of their main site and their sub sites, but how to stop the thieves?
Well as flexserve mentioned above, it is easy to rip streaming video - how true - but ripping off WPMU Dev bandwidth is not so easy.
Imagine - little old noob me becoming a WPMU Dev member on March 31st 2011 and by April 17th 2011 I had designed a working Pro Sites network ready for subscribers and I had my first ripped video on you tube.
This ticket has gone way beyond its useful purpose of a Domain Mapping issue which in fact it is not about that at all - it is about being a protected bandwidth and video issue from unscrupulous people all over the world - therefore I am closing this ticket and moving it to feature suggestions and feedback forum.
It's really more of a compatibility/expectations issue. I've released a new version that will prevent turning on admin side videos and show a notice message for those sites with incompatible domain mapping settings.
I put a notice that you must be logged in from the main site to view the videos on my Video Tutorials page (page with links to each video). Not the way I want to run it but not much else can be done on our end.
"Well as flexserve mentioned above, it is easy to rip streaming video - how true - but ripping off WPMU Dev bandwidth is not so easy."
You don't rip bandwidth when ripping from the web. You must store all videos locally. Just FYI.
I stripped this off my multisites. I am filming my own tutorials, which isn't so bad actually and it allows for branding without seeing "WordPress Demo" all over the vids too. ;)
Responses (30)
Support Kangaroo — 7th December 2011 #
Greetings :-)
I would handle this using the Pro Site Plugin which then in turn I would assign the privilege to them there.
Even if you do not have a paid version this would seem like a possible solution :-)
Joe :-)
WPMU DEV Fanatic — 7th December 2011 #
Hmm, actually, this is an interesting case. The Integrated Video plugin's use is checked on a domain basis so I don't think it could work on domain mapped sites without those sites being registered separately.
Let me run this by the team to be sure.
-David
Member — 13th December 2011 #
Any resolution to this issue?
Member — 13th December 2011 #
you have to run admin area as original domain on a domain mapped site,
however, if you use Theme My Login, it will break and create a loop of login attempts. I also believe you may have issues with API keys for facebook publishing, but I cant recall testing it.
I suggest a global key that doesnt check on a domain level, as you guys sell Multisite plugins and admin videos. It is nonsensicle to have users using WHITE LABEL videos on their main install :)
(becuase clearly they dont need to know how to add things).
Take a book from gravity forms page, had a key to be added globally in wpconfig. If someone wanted to steal these videos, they could easily do so. Save as 30x AND improve load times to not have to connect to your server in admin panel.
So probably not a real value to restrict on domain.
Member — 13th December 2011 #
Well put, @in-mn. As a multisite network admin trying to train "non-technical" users on how to use our WP multisite system, I agree on all points.
Lead Developer — 14th December 2011 #
If you insist on mapping the admin area of sites, then your only option is to put them on a front end static site somewhere, like a specific help site.
Our API validates on a per domain basis based on the browser referrer headers, it's the only way we can keep it from being shared or resold.
Member — 14th December 2011 #
Why are you so concerned with them being shared or resold? It's not like these are super-secret proprietary videos. They're generic, white-label videos, largely influenced from another set of WP training videos.
Member — 14th December 2011 #
A guy with the free real player app can save the videos
Making it harder for piracy. But not that much.
Your choice as software owner, my comment as customer. ;)
Member — 3rd January 2012 #
The only reason I renewed my WPMUDev subscription was so that I could offer these training videos within my customer's dashboard as a value-add. Putting on a public site kind of defeats the purpose (at least for me). Please consider a way to integrate this plugin with domain mapping.
Member — 18th January 2012 #
This is a big shame. This was also why I got the subscription. Having the admin panel on a subdomain cuases cookie issues for clients logging into their subdomains and then removing their custom address once they login will just cause even more confusion. Sounds like I need to make a core site and then iframe that site into a custom module just to show videos to my clients. Something I don't have time to do, which is why I wanted to buy the videos. Very disappointed.
Member — 24th January 2012 #
I'm not even sure how to force the admin area to show up as the subdomain instead of the mapped domain, any suggestions on how to go about doing that since the videos can't pick up on the fact that they're all on the same domain?
Support Kangaroo — 24th January 2012 #
Greetings :-)
actually I envision the cure being if the videos would work on the main domain as a wild card i.e. *.maindomain.com
this would at minimum take care of the sub-domain installs and the videos thereof.
Joe :-)
Member — 24th January 2012 #
@aecnu The videos do work from a subdmain dashboard. At least they do for me.
@nbostic If you login from the root site (id=1) and then click through to the Dashboard of a sub blog from the drop down from the admin bar under "My Sites" you will end with a Dashboard for a sub-site, and it will be the subdomain URL, not the mapped URL.
I originally started this thread because my setup uses Varnish Cache and the varnish cache purging plugin. The Varnish purge plugin is not domain mapping aware, and so if a user edits their site when they have logged in through the top level domain (and thus are viewing their Dashboard as a subdomain) the varnish cache plugin clears the subdomain URLs from cache, but not the mapped URLs. So I was encourage my clients to log in through their mapped domain directly - but then their support videos don't work.
My solution in this case is to get off my arse and edit the varnish cache plugin so that it becomes mapped domain aware and clears both the subdomain and the mapped domain for each purging action.
If people are interested in the edits I am happy to post them. I am using this Varnish Cache plugin http://wordpress.org/extend/plugins/varnish-purger/
My Varnish VCL is based on this one by http://premium.wpmudev.org/forums/topic/fixing-commenters-ip-records-varnish#post-61450
Lead Developer — 24th January 2012 #
With the latest version there is a settings page under network admin -> Settings
Member — 25th January 2012 #
Aaron, doing that creates issues. If you're logged in at subdomain.maindomain.com and then go to mappeddomain.com it now looks like you're not logged in as as admin and there is no menu bar at the top.
Lead Developer — 25th January 2012 #
It's not really an issue, just the way browsers work. This is how WP.com does domain mapping because it causes the least amount of issue overall cookie wise.
Member — 25th January 2012 #
It's only an issue if one insists of using subdomains and mapped domains, just using the mapped domain across the board is what most of us here are doing and that's why we're having problems showing the whitelabel videos to the sites in the network. You're asking us to set ourselves up for other issues and change the look/feel of the mapped domain site URLs in order to use the videos.
At the very least there should be a disclaimer on the module page that says you'll have to force subdomains in the admin panel, or create a dedicated, one-brand site and direct everyone from the multiple branded sites there if you want to allow sites to access the videos.
I hate being that moaning person that complains because something didn't fit their exact needs, but I feel that this module isn't not working as many have expected and it isn't fully serving it's designed purpose when it says it is multisite ready.
Lead Developer — 25th January 2012 #
It is on my todo list to see if there is any way to change the api around this. The api uses the referrer header for the iframe to validate, and that is done by user's browsers, not something that can be changed in code.
The only other technical way I can think is passing the API key in the iframe url, but then anyone could copy the visible embed code and stick it all over the web.
Any other ideas how it could be done yet maintain the needed protection?
Member — 25th January 2012 #
Anyways to automatically add mapped network domains onto a whitelist? Even manually adding each of my URLs to a whitelist would be too much (we add 40-50 new sites a day) but something automated would work well.
Also I realize this isn't my personal module so my use-case of not adding the domain manually doesn't apply to everyone, so for the vast majority maybe allowing a manually whitelist of domains would work? However automating it to work only for mapped domains would make people's network admin areas a mess if they tried to validate 1000 random people as a way of distributing the videos, so that might be appealing to you.
Member — 28th January 2012 #
I know you're a busy dev Aaron, so you may have forgotten that you said you'd make it possible to use our own video's about 3-4 months ago. When you do release that functionality it may help with these sort of requests.
Those who don't like the caveats of the hosted solution can choose to host their own videos from some a CDN or locally.
Secondary comment:
I'm also curious if the concern you have for people stealing the videos are "bandwidth stealing" or "intellectual property" related. In other words are you concerned that theses videos be used by non-paying members or that the bandwidth people would be stealing by embedding the videos all over the web.
Please note that I'm just curious and not trying to make a point in either case.
Lead Developer — 30th January 2012 #
Both really.
Member — 28th February 2012 #
I ran into this issue also. Ripping streamed videos is VERY easy. I just noticed it when I was testing my Multi-site with Pro Sites that they all say "Not authorized by MPMU" or something to that effect. Locking the authorization into a single domain and having to manually add domains makes this plugin NOT "Multi-Site Ready." The videos are handy and give a quick start to adding your own help content. However, not quite the "goldmine" to protect so much that it debilitates the actual functionality of the plugin itself. As someone stated before: It's your product..do with it what you like. I am speaking as a customer and this is my personal opinion.
Member — 4th March 2012 #
I just hit this issue too with a mapped domain. I guess I can crank out a page and make it public with all the videos embeded on my homepage. It's easier than explaining why a WPMU warning comes up.
I don't think this is up to the standards I've seen at WPMU.
Member — 4th March 2012 #
another glitch that was not panned for
Support Kangaroo — 4th March 2012 #
Greetings Everyone,
@ren another glitch that was not panned for Hardly, this is the intended outcome to protect the videos and keep unauthorized people from eating up (stealing) WPMU Dev's bandwidth.
Well I understand both sides of the fence regarding this issue - On the WPMU Dev side if unprotected in some fashion I see literally hundreds and thousands of sites globally sucking up the bandwidth and bringing the server to a crawl as coders and web masters from all over the globe steal them from members or embed the code of the videos into their own web sites.
On the other hand web masters and members alike would like to have these videos in there multiple control panels of their main site and their sub sites, but how to stop the thieves?
Well as flexserve mentioned above, it is easy to rip streaming video - how true - but ripping off WPMU Dev bandwidth is not so easy.
Imagine - little old noob me becoming a WPMU Dev member on March 31st 2011 and by April 17th 2011 I had designed a working Pro Sites network ready for subscribers and I had my first ripped video on you tube.
This ticket has gone way beyond its useful purpose of a Domain Mapping issue which in fact it is not about that at all - it is about being a protected bandwidth and video issue from unscrupulous people all over the world - therefore I am closing this ticket and moving it to feature suggestions and feedback forum.
Cheers, Joe :-)
Member — 5th March 2012 #
Perhaps not a glitch in the way the plugin is suppose to work but it is a glitch in my planed use for the plugin.
I just wish I was aware of it from the plugin description. I am now looking for a nice way to get around this.
I will start a new thread
Lead Developer — 5th March 2012 #
It's really more of a compatibility/expectations issue. I've released a new version that will prevent turning on admin side videos and show a notice message for those sites with incompatible domain mapping settings.
Member — 6th March 2012 #
I put a notice that you must be logged in from the main site to view the videos on my Video Tutorials page (page with links to each video). Not the way I want to run it but not much else can be done on our end.
Member — 6th March 2012 #
"Well as flexserve mentioned above, it is easy to rip streaming video - how true - but ripping off WPMU Dev bandwidth is not so easy."
You don't rip bandwidth when ripping from the web. You must store all videos locally. Just FYI.
I stripped this off my multisites. I am filming my own tutorials, which isn't so bad actually and it allows for branding without seeing "WordPress Demo" all over the vids too. ;)
Good Luck everyone and happy coding!
Member — 7th March 2012 #
I'm doing my own too but I'm doing videos they don't offer first. Like domain mapping demo.
The others should be pretty easy to do.
Become a member