incubator-jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Luca Gilardoni <...@quinary.com>
Subject Rss and authentication
Date Fri, 20 Feb 2009 12:51:12 GMT
All, after some struggling to understand why I could not see global rss, 
I noticed this post:

*Q:* My RSS feed isn't working, I've already checked the common things 
like BaseURL and properties. Could it be that it is because of my 
security policy, which needs the user to be authenticated to do anything?

--FlorianHoleczek <http://www.jspwiki.org/wiki/FlorianHoleczek>

*A:* The global RSS feed won't show any pages that an anonymous user 
does not have access to. Page-specific feeds use the current HTTP 
request to determine the credentials.

--JanneJalkanen <http://www.jspwiki.org/wiki/JanneJalkanen>

While this makes a lot of sense in general, it is also true that the 
policy is safe but a bit stronger. I would say authenticated users 
*should* be able to
see an rss restricted to the pages they have access too.
Albeit the obvious drawback is that in this case the rss would have to 
be generated or filtered on the fly.

a) generation on the fly would probably be simpler - just taking down 
credentials to rss generation (generateFullWikiRSS - or variant)
b) filtering also would probably not be too difficult. Just removing 
checks on credentials withing generateFullWikiRSS (assuming if the wiki
is managed to handle only authenticated users the rss.rdf can be 
protected for direct access as well) and adding a filter in the serving 
page.


Anyone else share my thoughts? Further hints on the subject?

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message