Trade-offs: page-level content vs. everything in a big group

I’m curious what the tradeoffs are of setting a page “type of content” vs. putting a big group around everything on the page and setting the group “type of content”. Specifically, does the later pose a security risk?

I ask because we’ve tended to set “type of content” at the page-level which adds a path to a URL (eg. mydomain.com/pagename/<user’s unique id>. Every user thus has a different URL. This creates problems for calling APIs with Oauth2 because the redirect URL is different for every user.

An alternative is to stick a big group around all the content on the page. In this case, the URL is simply mydomain.com/pagename for everyone. The big group then dictates the content that is displayed.

How have others handled this issue? What are the trade-offs particularly as it pertains to page-level security?

3 Likes

I can’t say for sure if there are any security differences, but I would have thought the only difference is that with a page set to have a type of content, you can use the “Send data” option when navigating between pages, whereas you can’t when using a group

I don’t want to derail your thread but I wanted to chime in to show my appreciation. Great way to put the question, made me realize I’ve got tons of questions like that in my head.

Security wise, yes, there could be one. A user could see another user’s page. But it just might be the functionality you are after. If user’s shouldn’t see each other’s info then why risk it?

Also, an attacker could deduce another’s unique ID, but by looks of the length of the ID, probably unlikely?