• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

recentTopics.page give you access to private forums

 
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

As you need no authentication to see the RSS feed /rss/recentTopics.page, you can see any forum topic as an anonymous user.

Is there any way to change that? so that private forum are really private?

Thanks.


[originally posted on jforum.net by Jean-Baptiste Catt�]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Delving into the code, it looks like the RecentTopics RSS code lost it's security check. A quick patch would be to modify the RSSAction.recentTopics() method by replacing this line:



with the code below .


[originally posted on jforum.net by monroe]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks a lot monroe,

I tried your patch and it worked: not possible anymore to see unauthorized topics.

But:
1) you get a malformed feed error if list of topic is empty
2) authentication is not asked for so if you are already identified in firefox it works, but in an external rss reader as rrsowl it doesn't.

1) is not a minor problem but 2) is a major one, any clue?
[originally posted on jforum.net by Jean-Baptiste Catt�]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
1) Technically, this is really a discussion to take up with the RSS authors. The spec at http://cyber.law.harvard.edu/rss/rss.html lists the item tag as being under the optional tags required in a channel. It also states that any number of them can be included... 0 is a number.

That said, you could try upping the number of articles searched for pubilc content. This is currently limited by the number of posts per page config setting. You might double that in the class.

Alternatively, either the RSS.getItens (yes, it's spelled that way), could be modified to return a "no articles found" RSSItem if the list is null. Or you can modify the rss_template.htm file to handle no items.

2) This is because RSS feeds do not have any standardized security mechanisms. It works with a browser because the browser will send the JForum related cookies along with the request. Third party RSS readers don't know about any HTML cookies and don't send any.

The closest thing to a "standard" is the use of basic authentication. But there are still not many RSS readers that support this.

For private forums, jForum will send a 401 error back with a request for basic auth. One thing I'm not sure if is if jForum's code will honor the response or not. Can't remember seeing this code anywhere.

However, if you have a mix of private and public forums and are using the Recent Topics RSS feed, there is no easy way to decide if you need to challenge for credentials or not. So the Recent Topics option is designed for anonymous access only.
[originally posted on jforum.net by monroe]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
In may case it's a totally private forum, so I modified RSSAction class accordingly (see attached files).

By the way is there a simple way to force authentication in any case? So the user goes to login window instead of having an empty forum list?
[originally posted on jforum.net by Jean-Baptiste Catt�]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Also is there any other way to be notified on all new topics beside the RSS feed?
[originally posted on jforum.net by Jean-Baptiste Catt�]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You could add something like:


[originally posted on jforum.net by monroe]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
this is a security bug...

You could go to 'Recent topics'. As an admin I can see some on private forums.
Logout, I'm a guest now, look at newest topics: they are filtered! (Good)
Click on RSS feed: Unfiltered list apear!! Including post content!

Is there a CVS / SVN with 2.1.8+ branch?

[originally posted on jforum.net by mosu]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I reply to myself and for some few others might find-it usefull 8)
jforum2.1.8 is 22 months old, you can use SVN sources from java.net

I fixed RSS exposure like this:
in RSSAction class:


You might notice a new method for TopicsCommon (isTopicAccessibleForAnonymous(p.getForumId()) )


I put an extra condition:
ForumRepository.isForumAccessible(1, forumId)
Old code did not use this check also, only checked for Category (I don't know if it's really useful). :?:
Seems to work as expected.

Regards

[originally posted on jforum.net by mosu]
 
reply
    Bookmark Topic Watch Topic
  • New Topic