Obsolete:Student projects/Secure RSS feeds: Difference between revisions
| Line 93: | Line 93: | ||
*# ContextId ? | *# ContextId ? | ||
*# file.php (stub code?) | *# file.php (stub code?) | ||
* Customized RSS enable/disable settings for each course. | |||
* Extensive debugging - 1w | * Extensive debugging - 1w | ||
* Submit code to Google | * Submit code to Google | ||
* Optional tasks - 1-2w | * Optional tasks - 1-2w | ||
*# Give user an ability to manage his private keys | *# Give user an ability to manage his private keys | ||
*# Recent activity feed for course category/all courses | *# Recent activity feed for course category/all courses | ||
*# Fix RSS feed related issues submitted at Moodle Tracker | *# Fix RSS feed related issues submitted at Moodle Tracker | ||
Revision as of 10:59, 17 July 2008
Note: This page outlines ideas for the "Secure RSS feeds" project. It's a specification under construction! If you have any comments or suggestions, please add them to the page comments.
Status
This is a draft spec as part of the Google Summer of Code submission of Askars Salimbajevs (ghostinshell [at] gmail.com). It is preliminary and partial. Spec based on the "Secure RSS feeds" idea described in Talk:Student projects/Secure RSS feeds. Any feedback is welcome.
Summary
Secure RSS feeds is a project about making the RSS feeds published by Moodle secure so that only desired people can access the feeds. More details here.[1]
Typical RSS URL will look like: “http://domain/moodle/rss/file.php/courseid/hash_keyuser_id/modulename/instance/rss.xml”.
Where hash_key – special hash-string used to identify user.
User is identified by comparing part hash_key with the real hash value of user_id + user_private_key(from DB) + modulename + instance(from URL) concatenation.
If someone stole one private feed URL, he won’t be able to use it for reading other private feeds.
Security
- Hash-key is a hash value from user_id, user_private_key, modulename (and other information, which is used to identify RSS feed) concatenation.
- If hash-key is not specified, consider user as guest.
- In current version of spec, hashes are not additionally salted.
- Each user will have one user_private_key for RSS per course.
- There is an option to force https:// for all RSS feeds
Core functions
rss_auth()
rss_auth($hash_key, $user_id, $course_id, $module, $instance, $info )
- $hash_key - long hash-like string from URL.
- $user_id - user id from URL
- $course_id - the id of the course this feeds belongs to
- $module - module name or course module object this feeds belongs to
- $instance - instance id. Could be blogid, forumid etc
- $info - additonal information, which is used to accurately identify RSS feed. Can be array.
Authenticates user by hash-string in URL, sets up $USER and other necessary stuff(done by calling Moodle core function require_user_key_login()). Checks if the user can access particular course and module. Function terminates with error if user doesn't have access to course\module.
rss_get_url_key()
rss_get_url_key( $userid, $courseid, $modulename, $instance, $info)
- $user - user id.
- $courseid - the id of the course this feeds belongs to
- $modulename - module name this feeds belongs to
- $instance - instance id. Could be blogid, forumid etc
- $info - additonal information, which is used to accurately identify RSS feed. Can be array.
Function returns long hash-like string, which can be used later to access specific RSS feed. Used when printing links.
Changes in RSS feed subsystem
- No more Cron jobs for RSS feeds.
- All feeds are generated on the fly (i.e. no cached .xml files)
- In order to generate RSS feed, each module should implement two functions
- rss_newstuff($instance, $time,&$cache, $info) - which checks if there is new stuff
- rss_generate_feed($instance,&$cache,$info) - generates and returns XML rss contents
Interface mockups
RSS links on Course page
Calendar RSS links
Recent activity RSS feed preferences page
Tasks and Timeline
- Further develop spec, get feedback, feel out implementation ✔
- Implement core functions - 1-2w ✔
- Secure existing RSS feeds in Moodle 1w ✔
- Forums ✔
- Blogs ✔
- Database module ✔
- Glossary ✔
- Add option to force HTTPS for RSS feeds ✔
- Add RSS to other areas of Moodle.
- Calendar(Upcoming events) 1-2w ✔
- Recent Activity 1-2w ✔
- Assigments submitted 1w ✔
- Messaging 1w
- Upgrade whole RSS subsystem. 1-3w
- Each module should have own function, that checks if there are any changes. ✔
- Use ETag and If-Modified-Since headers. ✔
- Generate RSS content on the fly(no cache files, no rss cron jobs) ✔
- ContextId ?
- file.php (stub code?)
- Customized RSS enable/disable settings for each course.
- Extensive debugging - 1w
- Submit code to Google
- Optional tasks - 1-2w
- Give user an ability to manage his private keys
- Recent activity feed for course category/all courses
- Fix RSS feed related issues submitted at Moodle Tracker
Glossary
| Term | Definition |
| Hash value (also called a "digest" or a "checksum") | A concise representation of the longer message or document from which it was computed. The message digest is a sort of "digital fingerprint" of the larger document. |
| RSS feed | A family of Web feed formats used to publish all kind of frequently updated content, usually blog entries, news headlines, and podcasts. RSS proved to be very convenient and easy-to-use, fast–to-implement technology, which makes users more productive and saves a lot of time. |
| user_private_key | unique hash-like string used for user identification. Stored in database. |
