View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0006757 | mantisbt | rss | public | 2006-02-26 18:17 | 2006-05-07 03:51 |
Reporter | Rhasta | Assigned To | vboctor | ||
Priority | normal | Severity | feature | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.0.1 | ||||
Fixed in Version | 1.1.0a1 | ||||
Summary | 0006757: Allow RSS syndication without allowing anonymous login. | ||||
Description | As tagged in both issues_rss and news_rss.php: @@@ consider adding an explicit option to enable/disable RSS syndication.The attached patch files add a setting $g_syndicate_rss which can be toggled on or off. When set to ON the updated files allow RSS syndication even when anonymous login is off. | ||||
Additional Information | In short RSS syndication becomes available IF $g_syndicate_rss OR $g_allow_anonymous_login is set to ON | ||||
Tags | No tags attached. | ||||
Attached Files | issues_rss.php.patch (2,075 bytes)
*** mantis-1.0.1/issues_rss.php 2005-07-18 23:09:36.000000000 +1000 --- mantis/issues_rss.php 2006-03-07 10:32:26.000000000 +1000 *************** *** 27,40 **** require_once( $t_core_path . 'user_api.php' ); require_once( $t_core_path . 'filter_api.php' ); # only allow RSS generation of anonymous login is enabled. # @@@ consider adding an explicit option to enable/disable RSS syndication. ! if ( OFF == config_get( 'allow_anonymous_login' ) ) { access_denied(); } $f_project_id = gpc_get_int( 'project_id', ALL_PROJECTS ); $f_filter_id = gpc_get_int( 'filter_id', 0 ); $f_sort = gpc_get_string( 'sort', 'submit' ); if ( $f_sort === 'update' ) { --- 27,49 ---- require_once( $t_core_path . 'user_api.php' ); require_once( $t_core_path . 'filter_api.php' ); # only allow RSS generation of anonymous login is enabled. # @@@ consider adding an explicit option to enable/disable RSS syndication. ! if( config_get( 'rss_user', false ) != false ) { ! $t_username = config_get( 'rss_user', false ); ! } else if( OFF == config_get( 'allow_anonymous_login' ) ) { access_denied(); } + if( isset( $t_username ) ) { + if($t_username === false) { + access_denied(); + } + auth_attempt_script_login($t_username); + } + $f_project_id = gpc_get_int( 'project_id', ALL_PROJECTS ); $f_filter_id = gpc_get_int( 'filter_id', 0 ); $f_sort = gpc_get_string( 'sort', 'submit' ); if ( $f_sort === 'update' ) { *************** *** 167,177 **** $rssfile->addItem( $about, $title, $link, $description, $subject, $date, $author, $comments, $image ); } - # @@@ consider making this a configuration option. # 0.91 / 1.0 / 2.0 ! $version = '2.0'; $rssfile->outputRSS( $version ); ! ?> \ No newline at end of file --- 176,185 ---- $rssfile->addItem( $about, $title, $link, $description, $subject, $date, $author, $comments, $image ); } # 0.91 / 1.0 / 2.0 ! $version = config_get( 'rss_version', '2.0' ); $rssfile->outputRSS( $version ); ! ?> news_rss.php.patch (2,057 bytes)
*** mantis-1.0.1/news_rss.php 2005-08-22 07:07:29.000000000 +1000 --- mantis/news_rss.php 2006-03-07 10:36:20.000000000 +1000 *************** *** 19,32 **** require_once( $t_core_path . 'project_api.php' ); require_once( $t_core_path . 'print_api.php' ); # only allow RSS generation of anonymous login is enabled. # @@@ consider adding an explicit option to enable/disable RSS syndication. ! if ( OFF == config_get( 'allow_anonymous_login' ) ) { access_denied(); } # Make sure that the user selected either all projects or a public one. $f_project_id = gpc_get_int( 'project_id', 0 ); if ( ( $f_project_id != 0 ) && ( VS_PRIVATE == project_get_field( $f_project_id, 'view_state' ) ) ) { access_denied(); } --- 19,41 ---- require_once( $t_core_path . 'project_api.php' ); require_once( $t_core_path . 'print_api.php' ); # only allow RSS generation of anonymous login is enabled. # @@@ consider adding an explicit option to enable/disable RSS syndication. ! if( config_get( 'rss_user', false ) != false ) { ! $t_username = config_get( 'rss_user', false ); ! } else if( OFF == config_get( 'allow_anonymous_login' ) ) { access_denied(); } + if( isset( $t_username ) ) { + if($t_username === false) { + access_denied(); + } + auth_attempt_script_login($t_username); + } + # Make sure that the user selected either all projects or a public one. $f_project_id = gpc_get_int( 'project_id', 0 ); if ( ( $f_project_id != 0 ) && ( VS_PRIVATE == project_get_field( $f_project_id, 'view_state' ) ) ) { access_denied(); } *************** *** 134,142 **** $author, $comments, $image); } # @@@ consider making this a configuration option. # 0.91 / 1.0 / 2.0 ! $version = '2.0'; $rssfile->outputRSS( $version ); ?> --- 143,151 ---- $author, $comments, $image); } # @@@ consider making this a configuration option. # 0.91 / 1.0 / 2.0 ! $version = config_get( 'rss_version', '2.0' ); $rssfile->outputRSS( $version ); ?> mantis-rss-2006-03-29.patch (7,186 bytes)
diff -r -C 5 core/authentication_api.php core/authentication_api.php *** core/authentication_api.php 2005-08-11 02:21:28.000000000 +1000 --- core/authentication_api.php 2006-03-29 10:34:21.000000000 +1000 *************** *** 484,493 **** --- 484,503 ---- $g_cache_current_user_id = $t_user_id; return $t_user_id; } + ######################################### + # Generate 'key' value for secured RSS feeds. + function auth_get_rss_key() { + + $p_user = current_user_get_field( 'username' ); + $p_pass = current_user_get_field( 'password' ); + + return md5( $p_user . $p_pass); + + } #=================================== # HTTP Auth #=================================== diff -r -C 5 core/html_api.php core/html_api.php *** core/html_api.php 2006-02-03 13:56:33.000000000 +1000 --- core/html_api.php 2006-03-29 10:52:04.000000000 +1000 *************** *** 335,344 **** --- 335,349 ---- PRINT '<select name="project_id" class="small">'; } print_project_option_list( join( ';', helper_get_current_project_trace() ), true, null, true ); PRINT '</select> '; PRINT '<input type="submit" class="button-small" value="' . lang_get( 'switch' ) . '" />'; + PRINT '<a href="issues_rss.php?username=' . $t_username + . '&key=' . auth_get_rss_key() + . '&project_id=' . helper_get_current_project() . '">'; + PRINT '<img src="images/rss.gif" alt="' . lang_get( 'rss' ) . '" style="border-style: none; margin: 5px; vertical-align: middle;" />'; + PRINT '</a>'; PRINT '</form>'; PRINT '</td>'; PRINT '</tr>'; PRINT '</table>'; } diff -r -C 5 issues_rss.php issues_rss.php *** issues_rss.php 2005-07-18 23:09:36.000000000 +1000 --- issues_rss.php 2006-03-29 10:44:06.000000000 +1000 *************** *** 25,38 **** require_once( $t_core_path . 'class.RSSBuilder.inc.php' ); require_once( $t_core_path . 'user_api.php' ); require_once( $t_core_path . 'filter_api.php' ); ! # only allow RSS generation of anonymous login is enabled. ! # @@@ consider adding an explicit option to enable/disable RSS syndication. if ( OFF == config_get( 'allow_anonymous_login' ) ) { ! access_denied(); } $f_project_id = gpc_get_int( 'project_id', ALL_PROJECTS ); $f_filter_id = gpc_get_int( 'filter_id', 0 ); $f_sort = gpc_get_string( 'sort', 'submit' ); --- 25,58 ---- require_once( $t_core_path . 'class.RSSBuilder.inc.php' ); require_once( $t_core_path . 'user_api.php' ); require_once( $t_core_path . 'filter_api.php' ); ! # only allow RSS generation if anonymous login is enabled. ! # or when the user provides valid Username and Key values ! # in the query string (Key is of the form ! # md5($username . md5($password)); ). if ( OFF == config_get( 'allow_anonymous_login' ) ) { ! $p_user = gpc_get_string( 'username', null ); ! $p_key = gpc_get_string( 'key', null ); ! if($p_user == null || $p_key == null) { ! access_denied(); ! } ! $c_user = db_prepare_string( $p_user ); ! $c_key = db_prepare_string( $p_key ); ! $query = sprintf('SELECT password FROM %s WHERE username = \'%s\'', ! config_get( 'mantis_user_table' ), $c_user ); ! $result = db_query( $query ); ! if ( 1 != db_num_rows( $result ) ) { ! access_denied(); ! } ! $row = db_fetch_array( $result ); ! $t_key_expect = md5($c_user . $row['password']); ! if($c_key != $t_key_expect) { ! access_denied(); ! } ! auth_attempt_script_login($c_user); } $f_project_id = gpc_get_int( 'project_id', ALL_PROJECTS ); $f_filter_id = gpc_get_int( 'filter_id', 0 ); $f_sort = gpc_get_string( 'sort', 'submit' ); *************** *** 110,120 **** $t_page_number = 1; $t_issues_per_page = 25; $t_page_count = 0; $t_issues_count = 0; $t_project_id = $f_project_id; ! $t_user_id = user_get_id_by_name( config_get( 'anonymous_account' ) ); $t_show_sticky = null; if ( $f_filter_id == 0 ) { $t_custom_filter = filter_get_default(); $t_custom_filter['sort'] = $c_sort_field; --- 130,144 ---- $t_page_number = 1; $t_issues_per_page = 25; $t_page_count = 0; $t_issues_count = 0; $t_project_id = $f_project_id; ! if(isset($c_user)) { ! $t_user_id = user_get_id_by_name( $c_user ); ! } else { ! $t_user_id = user_get_id_by_name( config_get( 'anonymous_account' ) ); ! } $t_show_sticky = null; if ( $f_filter_id == 0 ) { $t_custom_filter = filter_get_default(); $t_custom_filter['sort'] = $c_sort_field; *************** *** 172,177 **** # @@@ consider making this a configuration option. # 0.91 / 1.0 / 2.0 $version = '2.0'; $rssfile->outputRSS( $version ); ! ?> \ No newline at end of file --- 196,201 ---- # @@@ consider making this a configuration option. # 0.91 / 1.0 / 2.0 $version = '2.0'; $rssfile->outputRSS( $version ); ! ?> diff -r -C 5 news_rss.php news_rss.php *** news_rss.php 2005-08-22 07:07:29.000000000 +1000 --- news_rss.php 2006-03-29 10:44:20.000000000 +1000 *************** *** 17,30 **** require_once( $t_core_path . 'class.RSSBuilder.inc.php' ); require_once( $t_core_path . 'news_api.php' ); require_once( $t_core_path . 'project_api.php' ); require_once( $t_core_path . 'print_api.php' ); ! # only allow RSS generation of anonymous login is enabled. ! # @@@ consider adding an explicit option to enable/disable RSS syndication. if ( OFF == config_get( 'allow_anonymous_login' ) ) { ! access_denied(); } # Make sure that the user selected either all projects or a public one. $f_project_id = gpc_get_int( 'project_id', 0 ); if ( ( $f_project_id != 0 ) && ( VS_PRIVATE == project_get_field( $f_project_id, 'view_state' ) ) ) { --- 17,50 ---- require_once( $t_core_path . 'class.RSSBuilder.inc.php' ); require_once( $t_core_path . 'news_api.php' ); require_once( $t_core_path . 'project_api.php' ); require_once( $t_core_path . 'print_api.php' ); ! # only allow RSS generation if anonymous login is enabled ! # or when the user provides valid Username and Key values ! # in the query string (Key is of the form ! # md5($username . md5($password)); ). if ( OFF == config_get( 'allow_anonymous_login' ) ) { ! $p_user = gpc_get_string( 'username', null ); ! $p_key = gpc_get_string( 'key', null ); ! if($p_user == null || $p_key == null) { ! access_denied(); ! } ! $c_user = db_prepare_string( $p_user ); ! $c_key = db_prepare_string( $p_key ); ! $query = sprintf('SELECT password FROM %s WHERE username = \'%s\'', ! config_get( 'mantis_user_table' ), $c_user ); ! $result = db_query( $query ); ! if ( 1 != db_num_rows( $result ) ) { ! access_denied(); ! } ! $row = db_fetch_array( $result ); ! $t_key_expect = md5($c_user . $row['password']); ! if($c_key != $t_key_expect) { ! access_denied(); ! } ! auth_attempt_script_login($c_user); } # Make sure that the user selected either all projects or a public one. $f_project_id = gpc_get_int( 'project_id', 0 ); if ( ( $f_project_id != 0 ) && ( VS_PRIVATE == project_get_field( $f_project_id, 'view_state' ) ) ) { | ||||
This still appears to be broken. Somewhere in filter_get_bug_rows(..) there is some form of auth check which bombs out of the script and results in the user being redirected to the auth page if they don't have a logged in session going. |
|
From what I saw in your changes, I don't think it will work with just what you did. I made a custom post page for a cronjob for calendering integration and got into authentication problems when I tried to automate the updates through a crontab job. I looked at the code from the RSS page as my base and anonymous still had to be enabled or the job to run despite similar changes to yours... the reason your test worked is probably because a login was cached. I ended up setting up an account for my job and using the auth_attempt_script_login API to authenticate my script... as I did not want to enable Anonymous login at all. |
|
That's what I said in the earlier note I added. I'm still working on it with the hope of coming up with something useful. Not being able to use RSS without a pre-existing session makes the feature next to useless to me. |
|
I would even go as far as to add the ability to add the option of sending private bugs along with RSS syndication. Of course the logged-in user would require proper privileges to view the issue. Changes for this, I believe, would also have to be made to the issues RSS feeds as well. Rhasta - I agree completely with the pre-existing session idea/"problem". |
|
The new patch files I have just added (03-06-06) appear to rectify the earlier problems. A new setting has been added to set a username that is used for RSS syndication. I.e.: $g_rss_user = "rss"; In config_inc.php, obviously this user account must exist, otherwise access is denied. If this value is not set then the script still checks to see if anonymous login is enabled, if both these checks fail then access is denied. Finally I also added another rss setting: $g_rss_version = "2.0"; Which as expected allows users to select 0.91/1.0/2.0 as a configuration option. Hope this helps someone. |
|
After discussions with vboctor on IRC the following changes have been suggested:
=======================================
|
|
As promised here is mantis-rss-2006-03-29.patch. The patch makes the following changes: <b>1)</b> Modifies the issues_rss.php and news_rss.php files so that if anonymous login is disabled a further check is made before denying access to the RSS feeds. This check looks to see if a 'username' and 'key' value were provided in the query string. If they were then they are checked for validity. Key is effectively of the form md5($username . md5($password) ). If the key matches the username provided then the script logs in as that user and allows viewing of the RSS feed. Note that this method does hide private bugs/issues from those not authorised to see them. The news_rss.php file has not however been extended to allow provide access to private news items (this is also not provided in the standard mantis version of the file even when logged in. <b>2)</b>Modifies html_api.php to provide an RSS link next to the project selector at the top right of screen. The RSS link is automatically generated to point to the issues feed for the selected project, with the appropriate username and key values attached so that it can be bookmarked, used in RSS readers etc. The news_rss.php file remains linked from its standard position on the 'Main' page. === Hope this proves useful. |
|
Rhasta, based on our IRC discussion, following are the things to be done:
|
|
I've just uploaded mantis-rss-2006-04-19.zip, as requested it contains full copies of the modified files. Also included is a .patch file. Referring to the list from our earlier discussion here are the changes: <ul> Anyway see what you think. |
|
The support for authenticated RSS feeds is now implemented in CVS and will be part of Mantis 1.1. The implementation is based on Rhasta's latest patch with lots of refactoring and further security checking. Thanks Rhasta for your help... It would be great if you can review the final implementation and do some testing and report any issues you find against "CVS Head" version. The final implementation uses $g_rss_key_seed as one of the inputs for calculating rss keys, this allows the admin to make all rss keys already issued obsolete by just changing the value of this seed. It also makes calculation of seeds not possible for a person that doesn't have access to both the database data and the configuration files. |
|