View Issue Details

IDProjectCategoryView StatusLast Update
0006757mantisbtrsspublic2006-05-07 03:51
ReporterRhasta Assigned Tovboctor  
PrioritynormalSeverityfeatureReproducibilityalways
Status closedResolutionfixed 
Product Version1.0.1 
Fixed in Version1.1.0a1 
Summary0006757: Allow RSS syndication without allowing anonymous login.
Description

As tagged in both issues_rss and news_rss.php:

@@@ consider adding an explicit option to enable/disable RSS syndication.

The attached patch files add a setting $g_syndicate_rss which can be toggled on or off. When set to ON the updated files allow RSS syndication even when anonymous login is off.

Additional Information

In short RSS syndication becomes available IF $g_syndicate_rss OR $g_allow_anonymous_login is set to ON

TagsNo tags attached.
Attached Files
issues_rss.php.patch (2,075 bytes)   
*** mantis-1.0.1/issues_rss.php	2005-07-18 23:09:36.000000000 +1000
--- mantis/issues_rss.php	2006-03-07 10:32:26.000000000 +1000
***************
*** 27,40 ****
  	require_once( $t_core_path . 'user_api.php' );
  	require_once( $t_core_path . 'filter_api.php' );
  
  	# only allow RSS generation of anonymous login is enabled.
  	# @@@ consider adding an explicit option to enable/disable RSS syndication.
! 	if ( OFF == config_get( 'allow_anonymous_login' ) ) {
  		access_denied();
  	}
  
  	$f_project_id = gpc_get_int( 'project_id', ALL_PROJECTS );
  	$f_filter_id = gpc_get_int( 'filter_id', 0 );
  	$f_sort = gpc_get_string( 'sort', 'submit' );
  
  	if ( $f_sort === 'update' ) {
--- 27,49 ----
  	require_once( $t_core_path . 'user_api.php' );
  	require_once( $t_core_path . 'filter_api.php' );
  
  	# only allow RSS generation of anonymous login is enabled.
  	# @@@ consider adding an explicit option to enable/disable RSS syndication.
! 	if( config_get( 'rss_user', false ) != false ) {
! 		$t_username = config_get( 'rss_user', false );
! 	} else if( OFF == config_get( 'allow_anonymous_login' ) ) {
  		access_denied();
  	}
  
+ 	if( isset( $t_username ) ) { 
+ 		if($t_username === false) {
+ 			access_denied();
+ 		}
+ 		auth_attempt_script_login($t_username);
+ 	}
+ 
  	$f_project_id = gpc_get_int( 'project_id', ALL_PROJECTS );
  	$f_filter_id = gpc_get_int( 'filter_id', 0 );
  	$f_sort = gpc_get_string( 'sort', 'submit' );
  
  	if ( $f_sort === 'update' ) {
***************
*** 167,177 ****
  
  		$rssfile->addItem( $about, $title, $link, $description, $subject, $date,
  							$author, $comments, $image );
  	}
  
- 	# @@@ consider making this a configuration option.
  	# 0.91 / 1.0 / 2.0
! 	$version = '2.0';
  
  	$rssfile->outputRSS( $version );
! ?>
\ No newline at end of file
--- 176,185 ----
  
  		$rssfile->addItem( $about, $title, $link, $description, $subject, $date,
  							$author, $comments, $image );
  	}
  
  	# 0.91 / 1.0 / 2.0
! 	$version = config_get( 'rss_version', '2.0' );
  
  	$rssfile->outputRSS( $version );
! ?>
issues_rss.php.patch (2,075 bytes)   
news_rss.php.patch (2,057 bytes)   
*** mantis-1.0.1/news_rss.php	2005-08-22 07:07:29.000000000 +1000
--- mantis/news_rss.php	2006-03-07 10:36:20.000000000 +1000
***************
*** 19,32 ****
  	require_once( $t_core_path . 'project_api.php' );
  	require_once( $t_core_path . 'print_api.php' );
  
  	# only allow RSS generation of anonymous login is enabled.
  	# @@@ consider adding an explicit option to enable/disable RSS syndication.
! 	if ( OFF == config_get( 'allow_anonymous_login' ) ) {
  		access_denied();
  	}
  
  	# Make sure that the user selected either all projects or a public one.
  	$f_project_id = gpc_get_int( 'project_id', 0 );
  	if ( ( $f_project_id != 0 ) && ( VS_PRIVATE == project_get_field( $f_project_id, 'view_state' ) ) ) {
  		access_denied();
  	}
--- 19,41 ----
  	require_once( $t_core_path . 'project_api.php' );
  	require_once( $t_core_path . 'print_api.php' );
  
  	# only allow RSS generation of anonymous login is enabled.
  	# @@@ consider adding an explicit option to enable/disable RSS syndication.
! 	if( config_get( 'rss_user', false ) != false ) {
! 		$t_username = config_get( 'rss_user', false );
! 	} else if( OFF == config_get( 'allow_anonymous_login' ) ) {
  		access_denied();
  	}
  
+ 	if( isset( $t_username ) ) { 
+ 		if($t_username === false) {
+ 			access_denied();
+ 		}
+ 		auth_attempt_script_login($t_username);
+ 	}
+ 
  	# Make sure that the user selected either all projects or a public one.
  	$f_project_id = gpc_get_int( 'project_id', 0 );
  	if ( ( $f_project_id != 0 ) && ( VS_PRIVATE == project_get_field( $f_project_id, 'view_state' ) ) ) {
  		access_denied();
  	}
***************
*** 134,142 ****
  					$author, $comments, $image);
  	}
  
  	# @@@ consider making this a configuration option.
  	# 0.91 / 1.0 / 2.0
! 	$version = '2.0';
  
  	$rssfile->outputRSS( $version );
  ?>
--- 143,151 ----
  					$author, $comments, $image);
  	}
  
  	# @@@ consider making this a configuration option.
  	# 0.91 / 1.0 / 2.0
! 	$version = config_get( 'rss_version', '2.0' );
  
  	$rssfile->outputRSS( $version );
  ?>
news_rss.php.patch (2,057 bytes)   
mantis-rss-2006-03-29.patch (7,186 bytes)   
diff -r -C 5 core/authentication_api.php core/authentication_api.php
*** core/authentication_api.php	2005-08-11 02:21:28.000000000 +1000
--- core/authentication_api.php	2006-03-29 10:34:21.000000000 +1000
***************
*** 484,493 ****
--- 484,503 ----
  		$g_cache_current_user_id = $t_user_id;
  
  		return $t_user_id;
  	}
  
+ 	#########################################
+ 	# Generate 'key' value for secured RSS feeds.
+ 	function auth_get_rss_key() {
+ 
+ 		$p_user = current_user_get_field( 'username' );
+ 		$p_pass = current_user_get_field( 'password' );
+ 
+ 		return md5( $p_user . $p_pass);
+ 
+ 	}
  
  	#===================================
  	# HTTP Auth
  	#===================================
  
diff -r -C 5 core/html_api.php core/html_api.php
*** core/html_api.php	2006-02-03 13:56:33.000000000 +1000
--- core/html_api.php	2006-03-29 10:52:04.000000000 +1000
***************
*** 335,344 ****
--- 335,349 ----
  					PRINT '<select name="project_id" class="small">';
  				}
  				print_project_option_list( join( ';', helper_get_current_project_trace() ), true, null, true );
  				PRINT '</select> ';
  				PRINT '<input type="submit" class="button-small" value="' . lang_get( 'switch' ) . '" />';
+ 				PRINT '<a href="issues_rss.php?username=' . $t_username 
+ 									. '&amp;key=' . auth_get_rss_key() 
+ 									. '&amp;project_id=' . helper_get_current_project() . '">';
+ 				PRINT '<img src="images/rss.gif" alt="' . lang_get( 'rss' ) . '" style="border-style: none; margin: 5px; vertical-align: middle;" />';
+ 				PRINT '</a>';
  				PRINT '</form>';
  			PRINT '</td>';
  		PRINT '</tr>';
  		PRINT '</table>';
  	}
diff -r -C 5 issues_rss.php issues_rss.php
*** issues_rss.php	2005-07-18 23:09:36.000000000 +1000
--- issues_rss.php	2006-03-29 10:44:06.000000000 +1000
***************
*** 25,38 ****
  
  	require_once( $t_core_path . 'class.RSSBuilder.inc.php' );
  	require_once( $t_core_path . 'user_api.php' );
  	require_once( $t_core_path . 'filter_api.php' );
  
! 	# only allow RSS generation of anonymous login is enabled.
! 	# @@@ consider adding an explicit option to enable/disable RSS syndication.
  	if ( OFF == config_get( 'allow_anonymous_login' ) ) {
! 		access_denied();
  	}
  
  	$f_project_id = gpc_get_int( 'project_id', ALL_PROJECTS );
  	$f_filter_id = gpc_get_int( 'filter_id', 0 );
  	$f_sort = gpc_get_string( 'sort', 'submit' );
--- 25,58 ----
  
  	require_once( $t_core_path . 'class.RSSBuilder.inc.php' );
  	require_once( $t_core_path . 'user_api.php' );
  	require_once( $t_core_path . 'filter_api.php' );
  
! 	# only allow RSS generation if anonymous login is enabled.
! 	# or when the user provides valid Username and Key values
! 	# in the query string (Key is of the form
! 	# md5($username . md5($password)); ).
  	if ( OFF == config_get( 'allow_anonymous_login' ) ) {
! 		$p_user = gpc_get_string( 'username', null );
! 		$p_key = gpc_get_string( 'key', null );
! 		if($p_user == null || $p_key == null) {
! 			access_denied();
! 		}
! 		$c_user = db_prepare_string( $p_user );
! 		$c_key = db_prepare_string( $p_key );
! 		$query = sprintf('SELECT password FROM %s WHERE username = \'%s\'',
! 		                 config_get( 'mantis_user_table' ), $c_user );
! 		$result = db_query( $query );
! 		if ( 1 != db_num_rows( $result ) ) {
! 			access_denied();
! 		}
! 		$row = db_fetch_array( $result );
! 		$t_key_expect = md5($c_user . $row['password']);
! 		if($c_key != $t_key_expect) {
! 			access_denied();
! 		}
! 		auth_attempt_script_login($c_user);
  	}
  
  	$f_project_id = gpc_get_int( 'project_id', ALL_PROJECTS );
  	$f_filter_id = gpc_get_int( 'filter_id', 0 );
  	$f_sort = gpc_get_string( 'sort', 'submit' );
***************
*** 110,120 ****
  	$t_page_number = 1;
  	$t_issues_per_page = 25;
  	$t_page_count = 0;
  	$t_issues_count = 0;
  	$t_project_id = $f_project_id;
! 	$t_user_id = user_get_id_by_name( config_get( 'anonymous_account' ) );
  	$t_show_sticky = null;
  
  	if ( $f_filter_id == 0 ) {
  		$t_custom_filter = filter_get_default();
  		$t_custom_filter['sort'] = $c_sort_field;
--- 130,144 ----
  	$t_page_number = 1;
  	$t_issues_per_page = 25;
  	$t_page_count = 0;
  	$t_issues_count = 0;
  	$t_project_id = $f_project_id;
! 	if(isset($c_user)) {
! 		$t_user_id = user_get_id_by_name( $c_user );
! 	} else {
! 		$t_user_id = user_get_id_by_name( config_get( 'anonymous_account' ) );
! 	}
  	$t_show_sticky = null;
  
  	if ( $f_filter_id == 0 ) {
  		$t_custom_filter = filter_get_default();
  		$t_custom_filter['sort'] = $c_sort_field;
***************
*** 172,177 ****
  	# @@@ consider making this a configuration option.
  	# 0.91 / 1.0 / 2.0
  	$version = '2.0';
  
  	$rssfile->outputRSS( $version );
! ?>
\ No newline at end of file
--- 196,201 ----
  	# @@@ consider making this a configuration option.
  	# 0.91 / 1.0 / 2.0
  	$version = '2.0';
  
  	$rssfile->outputRSS( $version );
! ?>
diff -r -C 5 news_rss.php news_rss.php
*** news_rss.php	2005-08-22 07:07:29.000000000 +1000
--- news_rss.php	2006-03-29 10:44:20.000000000 +1000
***************
*** 17,30 ****
  	require_once( $t_core_path . 'class.RSSBuilder.inc.php' );
  	require_once( $t_core_path . 'news_api.php' );
  	require_once( $t_core_path . 'project_api.php' );
  	require_once( $t_core_path . 'print_api.php' );
  
! 	# only allow RSS generation of anonymous login is enabled.
! 	# @@@ consider adding an explicit option to enable/disable RSS syndication.
  	if ( OFF == config_get( 'allow_anonymous_login' ) ) {
! 		access_denied();
  	}
  
  	# Make sure that the user selected either all projects or a public one.
  	$f_project_id = gpc_get_int( 'project_id', 0 );
  	if ( ( $f_project_id != 0 ) && ( VS_PRIVATE == project_get_field( $f_project_id, 'view_state' ) ) ) {
--- 17,50 ----
  	require_once( $t_core_path . 'class.RSSBuilder.inc.php' );
  	require_once( $t_core_path . 'news_api.php' );
  	require_once( $t_core_path . 'project_api.php' );
  	require_once( $t_core_path . 'print_api.php' );
  
! 	# only allow RSS generation if anonymous login is enabled
! 	# or when the user provides valid Username and Key values
! 	# in the query string (Key is of the form
! 	# md5($username . md5($password)); ).
  	if ( OFF == config_get( 'allow_anonymous_login' ) ) {
! 		$p_user = gpc_get_string( 'username', null );
! 		$p_key = gpc_get_string( 'key', null );
! 		if($p_user == null || $p_key == null) {
! 			access_denied();
! 		}
! 		$c_user = db_prepare_string( $p_user );
! 		$c_key = db_prepare_string( $p_key );
! 		$query = sprintf('SELECT password FROM %s WHERE username = \'%s\'',
! 		                 config_get( 'mantis_user_table' ), $c_user );
! 		$result = db_query( $query );
! 		if ( 1 != db_num_rows( $result ) ) {
! 			access_denied();
! 		}
! 		$row = db_fetch_array( $result );
! 		$t_key_expect = md5($c_user . $row['password']);
! 		if($c_key != $t_key_expect) {
! 			access_denied();
! 		}
! 		auth_attempt_script_login($c_user);
  	}
  
  	# Make sure that the user selected either all projects or a public one.
  	$f_project_id = gpc_get_int( 'project_id', 0 );
  	if ( ( $f_project_id != 0 ) && ( VS_PRIVATE == project_get_field( $f_project_id, 'view_state' ) ) ) {
mantis-rss-2006-03-29.patch (7,186 bytes)   

Activities

Rhasta

Rhasta

2006-02-27 19:08

reporter   ~0012244

This still appears to be broken. Somewhere in filter_get_bug_rows(..) there is some form of auth check which bombs out of the script and results in the user being redirected to the auth page if they don't have a logged in session going.

EBY

EBY

2006-02-28 23:43

reporter   ~0012252

From what I saw in your changes, I don't think it will work with just what you did. I made a custom post page for a cronjob for calendering integration and got into authentication problems when I tried to automate the updates through a crontab job. I looked at the code from the RSS page as my base and anonymous still had to be enabled or the job to run despite similar changes to yours... the reason your test worked is probably because a login was cached.

I ended up setting up an account for my job and using the auth_attempt_script_login API to authenticate my script... as I did not want to enable Anonymous login at all.

Rhasta

Rhasta

2006-03-01 03:29

reporter   ~0012253

Last edited: 2006-03-01 03:37

That's what I said in the earlier note I added. I'm still working on it with the hope of coming up with something useful. Not being able to use RSS without a pre-existing session makes the feature next to useless to me.

tardbaby1

tardbaby1

2006-03-06 12:59

reporter   ~0012282

I would even go as far as to add the ability to add the option of sending private bugs along with RSS syndication. Of course the logged-in user would require proper privileges to view the issue.

Changes for this, I believe, would also have to be made to the issues RSS feeds as well.

Rhasta - I agree completely with the pre-existing session idea/"problem".

Rhasta

Rhasta

2006-03-06 19:42

reporter   ~0012285

Last edited: 2006-03-06 19:43

The new patch files I have just added (03-06-06) appear to rectify the earlier problems. A new setting has been added to set a username that is used for RSS syndication. I.e.:

$g_rss_user = "rss";

In config_inc.php, obviously this user account must exist, otherwise access is denied. If this value is not set then the script still checks to see if anonymous login is enabled, if both these checks fail then access is denied.

Finally I also added another rss setting:

$g_rss_version = "2.0";

Which as expected allows users to select 0.91/1.0/2.0 as a configuration option.

Hope this helps someone.

Rhasta

Rhasta

2006-03-11 17:13

reporter   ~0012325

Last edited: 2006-03-11 17:38

After discussions with vboctor on IRC the following changes have been suggested:

  • Roll back from these patches (which are essentially anonymous login, but restricted to RSS feeds) as they aren't an optimal solution.
  • Change the RSS feeds so that a user may access them (when anonymous login is disabled) by passing a username and a token (unique to their login) to the issues_rss.php or news_rss.php file. It is possible that this could be done without even requiring a username, however by getting one it prevents us needing to create a new column in the database as we can go straight to the row we need to generate and check the hash.
  • Add a way for the user to easily obtain their unique link to the RSS feed(s).

=======================================
Transcript of IRC conversation follows:

<vb123> Rhasta, this means that anyone (even if not registered) can get your rss feeds and see all what user "rss" can see.
<Rhasta> yeah i know, which for us is fine
<vb123> hence, this is like anonymous login to potentially private issues.
<vb123> fair enough.
<Rhasta> im happy to work on something tighter, but it gets pretty gay
<vb123> the proper implementation will include passing a security token to the URL, based on which the content will be constructed. We may also send a user name as well.
<Rhasta> ie. the only way i can see is to send user data in the get string, or some kind of unique key
<vb123> the security token can be md5(user name . md5(password))
<vb123> hence, if someone gets access to the user's security token, then the user can change password.
<vb123> to make it invalid.
<Rhasta> yeah that works
<vb123> we also need an easy way for users to get their URL including user name and token.
<vb123> if you implement that, I will integrate it.
<vb123> md5(password) is the password as stored in db.
<vb123> I've to go now. It would be great if you can update the issue with our discussion here.
<Rhasta> yah will do

==============
End transcript

In summary I am happy to work on these changes, however will continue to look at other similar bugs/feature requests in the tracker to see what users need from RSS.

EDIT: On reviewing similar issues the following appears to handle some of the requirements listed here, albeit in a sub-optimal way (in that hashs appear to be repeatedly generated for every user in the database every time a feed is loaded). It may however be useful to users in the interim:

http://bugs.mantisbt.org/view.php?id=4213

Rhasta

Rhasta

2006-03-28 20:12

reporter   ~0012432

As promised here is mantis-rss-2006-03-29.patch.

The patch makes the following changes:

<b>1)</b> Modifies the issues_rss.php and news_rss.php files so that if anonymous login is disabled a further check is made before denying access to the RSS feeds. This check looks to see if a 'username' and 'key' value were provided in the query string. If they were then they are checked for validity. Key is effectively of the form md5($username . md5($password) ).

If the key matches the username provided then the script logs in as that user and allows viewing of the RSS feed. Note that this method does hide private bugs/issues from those not authorised to see them. The news_rss.php file has not however been extended to allow provide access to private news items (this is also not provided in the standard mantis version of the file even when logged in.

<b>2)</b>Modifies html_api.php to provide an RSS link next to the project selector at the top right of screen. The RSS link is automatically generated to point to the issues feed for the selected project, with the appropriate username and key values attached so that it can be bookmarked, used in RSS readers etc.

The news_rss.php file remains linked from its standard position on the 'Main' page.

===

Hope this proves useful.

vboctor

vboctor

2006-04-11 08:47

manager   ~0012488

Rhasta, based on our IRC discussion, following are the things to be done:

  • Update to use cookie_string in the hash calculation (username + cookie string + crypted password).
  • Include Username in the rss title field
  • Support RSS feeds for filters
  • Include full modified files (zipped) in future patches.
  • Change order of values in title field to 'Mantis - <project name> - Issues' (previously 'Mantis - Issues - <project name>').
  • Issue titles should indicate the fact that an issue is Private.
Rhasta

Rhasta

2006-04-18 20:44

reporter   ~0012618

Last edited: 2006-04-18 21:05

I've just uploaded mantis-rss-2006-04-19.zip, as requested it contains full copies of the modified files. Also included is a .patch file.

Referring to the list from our earlier discussion here are the changes:

<ul>
<li>Update to use cookie_string in the hash calculation (username + cookie string + crypted password). - <b><i>Done</i></b></li>
<li>Include Username in the rss title field. - <b><i>Done</i></b></li>
<li>Support RSS feeds for filters. - <b><i>Done</i></b><ul><li>Simply involved updating the RSS links generated by query_view_page.php.</li></ul></li>
<li>Include full modified files (zipped) in future patches. - <b><i>Done</i></b></li>
<li>Change order of values in title field to 'Mantis - <project name> - Issues' (previously 'Mantis - Issues - <project name>'). - <b><i>Done</i></b></li>
<li>Issue titles should indicate the fact that an issue is Private. - <b><i>Done*</i></b><ul><li>This is done however I suspect not as well as it needs to be. If the individual issue is marked as private then it is tagged as such in the RSS feed. If however the issue is private due to being part of a project marked as private then nothing is tagged.</li></ul></li>
</ul>

Anyway see what you think.

vboctor

vboctor

2006-04-23 08:37

manager   ~0012688

The support for authenticated RSS feeds is now implemented in CVS and will be part of Mantis 1.1. The implementation is based on Rhasta's latest patch with lots of refactoring and further security checking.

Thanks Rhasta for your help... It would be great if you can review the final implementation and do some testing and report any issues you find against "CVS Head" version.

The final implementation uses $g_rss_key_seed as one of the inputs for calculating rss keys, this allows the admin to make all rss keys already issued obsolete by just changing the value of this seed. It also makes calculation of seeds not possible for a person that doesn't have access to both the database data and the configuration files.