From a240d5abcc07be6742cfa0b97dfd1865f336cdda Mon Sep 17 00:00:00 2001
From: Harper Nordin <harper.nordin@wildcardcorp.com>
Date: Mon, 9 Mar 2026 12:56:26 -0500
Subject: [PATCH 1/3] fix: restricted anonymous traffic to login page

---
 castle/cms/shield.py | 43 ++++++++++++++++++++++++++++++-------------
 1 file changed, 30 insertions(+), 13 deletions(-)

diff --git a/castle/cms/shield.py b/castle/cms/shield.py
index 9a2133a69..e490d2d1b 100644
--- a/castle/cms/shield.py
+++ b/castle/cms/shield.py
@@ -4,29 +4,30 @@
 from plone.registry.interfaces import IRegistry
 from zExceptions import Redirect
 from zope.component import queryUtility
-
 import plone.api as api
 
 SHIELD = constants.SHIELD
 
-_blacklisted_meta_types = (
-    'Image', 'File', 'Filesystem Image',
-    'Filesystem File', 'Stylesheets Registry', 'JavaScripts Registry',
-    'DirectoryViewSurrogate', 'KSS Registry', 'Filesystem Directory View')
-
-
 def protect(req, recheck=False):
     url = req.getURL()
     login_url = '{}/@@secure-login'.format(api.portal.get().absolute_url())
     if '@@secure-login' in url.lower() and url != login_url:
         raise Redirect(login_url)
 
-    published = req.PARENTS[0]
-    mt = getattr(
-        getattr(published, 'aq_base', None),
-        'meta_type',
-        getattr(published, 'meta_type', None))
-    if mt in _blacklisted_meta_types or mt is None:
+    url = req.get('URL', None)
+    whitelisted_requests = (
+        'bootstrap.css',
+        'secure-login.css',
+        'secure-login.js',
+        'require.js',
+        'jquery.min.js',
+        'bootstrap.min.js',
+        'react.js',
+        'utils.js',
+        'favicon.ico',
+        )
+
+    if is_whitelisted(req, whitelisted_requests):
         return
 
     published = req.get('PUBLISHED')
@@ -70,3 +71,19 @@ def protect(req, recheck=False):
             anonymous = api.user.is_anonymous()
         if anonymous:
             raise Redirect(login_url)
+
+
+def is_whitelisted(request, whitelist):
+    url = request.get('URL', None)
+    if url is None:
+        return False
+
+    url_without_querys = url.split('?')[0]
+    for resource in whitelist:
+        if url_without_querys.endswith(resource):
+            return True
+
+    if '/@@site-logo' in url_without_querys:
+        return True
+
+    return False
\ No newline at end of file

From 908689c74924048d973af98674503ac013d65862 Mon Sep 17 00:00:00 2001
From: Harper Nordin <harper.nordin@wildcardcorp.com>
Date: Mon, 9 Mar 2026 13:50:33 -0500
Subject: [PATCH 2/3] formatting fixes

---
 castle/cms/shield.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/castle/cms/shield.py b/castle/cms/shield.py
index e490d2d1b..84418cb68 100644
--- a/castle/cms/shield.py
+++ b/castle/cms/shield.py
@@ -25,7 +25,7 @@ def protect(req, recheck=False):
         'react.js',
         'utils.js',
         'favicon.ico',
-        )
+    )
 
     if is_whitelisted(req, whitelisted_requests):
         return

From 1bbfb6d8bc1a49ea29528a940a1fa9a1b6ad1fee Mon Sep 17 00:00:00 2001
From: Harper Nordin <harper.nordin@wildcardcorp.com>
Date: Wed, 11 Mar 2026 09:00:14 -0500
Subject: [PATCH 3/3] removed unncessary spliting

---
 castle/cms/shield.py | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/castle/cms/shield.py b/castle/cms/shield.py
index 84418cb68..9afa71ca5 100644
--- a/castle/cms/shield.py
+++ b/castle/cms/shield.py
@@ -78,12 +78,11 @@ def is_whitelisted(request, whitelist):
     if url is None:
         return False
 
-    url_without_querys = url.split('?')[0]
     for resource in whitelist:
-        if url_without_querys.endswith(resource):
+        if url.endswith(resource):
             return True
 
-    if '/@@site-logo' in url_without_querys:
+    if '/@@site-logo' in url:
         return True
 
     return False
\ No newline at end of file