File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes JForum and the fly likes recentTopics.page give you access to private forums Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » JForum
Bookmark "recentTopics.page give you access to private forums" Watch "recentTopics.page give you access to private forums" New topic
Author

recentTopics.page give you access to private forums

Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Hi,

As you need no authentication to see the RSS feed /rss/recentTopics.page, you can see any forum topic as an anonymous user.

Is there any way to change that? so that private forum are really private?

Thanks.


[originally posted on jforum.net by Jean-Baptiste Catt�]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Delving into the code, it looks like the RecentTopics RSS code lost it's security check. A quick patch would be to modify the RSSAction.recentTopics() method by replacing this line:



with the code below .


[originally posted on jforum.net by monroe]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Thanks a lot monroe,

I tried your patch and it worked: not possible anymore to see unauthorized topics.

But:
1) you get a malformed feed error if list of topic is empty
2) authentication is not asked for so if you are already identified in firefox it works, but in an external rss reader as rrsowl it doesn't.

1) is not a minor problem but 2) is a major one, any clue?
[originally posted on jforum.net by Jean-Baptiste Catt�]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
1) Technically, this is really a discussion to take up with the RSS authors. The spec at http://cyber.law.harvard.edu/rss/rss.html lists the item tag as being under the optional tags required in a channel. It also states that any number of them can be included... 0 is a number.

That said, you could try upping the number of articles searched for pubilc content. This is currently limited by the number of posts per page config setting. You might double that in the class.

Alternatively, either the RSS.getItens (yes, it's spelled that way), could be modified to return a "no articles found" RSSItem if the list is null. Or you can modify the rss_template.htm file to handle no items.

2) This is because RSS feeds do not have any standardized security mechanisms. It works with a browser because the browser will send the JForum related cookies along with the request. Third party RSS readers don't know about any HTML cookies and don't send any.

The closest thing to a "standard" is the use of basic authentication. But there are still not many RSS readers that support this.

For private forums, jForum will send a 401 error back with a request for basic auth. One thing I'm not sure if is if jForum's code will honor the response or not. Can't remember seeing this code anywhere.

However, if you have a mix of private and public forums and are using the Recent Topics RSS feed, there is no easy way to decide if you need to challenge for credentials or not. So the Recent Topics option is designed for anonymous access only.
[originally posted on jforum.net by monroe]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
In may case it's a totally private forum, so I modified RSSAction class accordingly (see attached files).

By the way is there a simple way to force authentication in any case? So the user goes to login window instead of having an empty forum list?
[originally posted on jforum.net by Jean-Baptiste Catt�]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Also is there any other way to be notified on all new topics beside the RSS feed?
[originally posted on jforum.net by Jean-Baptiste Catt�]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
You could add something like:


[originally posted on jforum.net by monroe]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
this is a security bug...

You could go to 'Recent topics'. As an admin I can see some on private forums.
Logout, I'm a guest now, look at newest topics: they are filtered! (Good)
Click on RSS feed: Unfiltered list apear!! Including post content!

Is there a CVS / SVN with 2.1.8+ branch?

[originally posted on jforum.net by mosu]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
I reply to myself and for some few others might find-it usefull 8)
jforum2.1.8 is 22 months old, you can use SVN sources from java.net

I fixed RSS exposure like this:
in RSSAction class:


You might notice a new method for TopicsCommon (isTopicAccessibleForAnonymous(p.getForumId()) )


I put an extra condition:
ForumRepository.isForumAccessible(1, forumId)
Old code did not use this check also, only checked for Category (I don't know if it's really useful). :?:
Seems to work as expected.

Regards

[originally posted on jforum.net by mosu]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: recentTopics.page give you access to private forums