Afternoon. A very quick and simple question:
If we specify that metadata should never be displayed on the frontend in the metadata schema, does that mean that it is 100% unavailable to a frontend user - ie there's no way of viewing the headers and retrieving the hidden metadata?
I presume this is the case, but need to be sure otherwise we'll be sharing client email addresses with the world!
Thanks
They will not be displayed, that is correct, so they cannot be retrieved like that.
However, the permissions system does mean that if you are allowing public read access on the asset, you also allow the access on the metadata, so it is not an enforced security policy.
Well there's public read on all of our live assets. So does that mean that they will be able to pull out the email address even though it is specified as hidden always?
Which asset should not have public read - the page with the metadata on or the schema itsel?
[quote]
Well there's public read on all of our live assets. So does that mean that they will be able to pull out the email address even though it is specified as hidden always?
[/quote]
Public read and live status doesn't have any effect on the hidden option for metadata schemas or fields. If you specify them as hidden they won't output any frontend metadata when using the metadata design area.
[quote]
Which asset should not have public read - the page with the metadata on or the schema itsel?
[/quote]
Keeping in mind my previous comment, you don't need to change the status of a metadata schema asset itself. It won't have any effect on how it behaves in matrix.
If they are frontend users only (i.e., they have no access to _edit and _admin) and you don't expose the hidden metadata anywhere via a keyword, they are not going to be able to see it. If you do happen to print the value somewhere, they will be able to read the data because they have read access to the asset, so just be a bit careful.