Obsolete:Student projects/Secure RSS feeds: Difference between revisions

Revision as of 20:25, 26 July 2008

Note: This page outlines ideas for the "Secure RSS feeds" project. It's a specification under construction! If you have any comments or suggestions, please add them to the page comments.

Status

This is a draft spec as part of the Google Summer of Code submission of Askars Salimbajevs (ghostinshell [at] gmail.com). It is preliminary and partial. Spec based on the "Secure RSS feeds" idea described in Talk:Student projects/Secure RSS feeds. Any feedback is welcome.

Summary

Secure RSS feeds is a project about making the RSS feeds published by Moodle secure so that only desired people can access the feeds. More details here.[1]

Typical RSS URL will look like: “http://domain/moodle/rss/file.php/contextid/hash_keyuser_id/modulename/instance/any/other/params/module/wants/rss.xml”.

Where hash_key – special hash-string used to identify user.

User is identified by comparing part hash_key with the real hash value of user_id + user_private_key(from DB) + modulename + instance(from URL) concatenation.

If someone stole one private feed URL, he won’t be able to use it for reading other private feeds.

Security

Hash-key is a hash value from user_id, user_private_key, modulename (and other information, which is used to identify RSS feed) concatenation.
If hash-key is not specified, consider user as guest.
In current version of spec, hashes are not additionally salted.
User private keys are tied to context id's.
There is an option to force https:// for all RSS feeds

Core functions

rss_auth()

rss_auth($hash_key, $user_id, $course_id, $context_id, $module, $instance, $info )

$hash_key - long hash-like string from URL.
$user_id - user id from URL
$course_id - the id of the course this feeds belongs to
$context_id - the id of the context this feeds belongs to
$module - module name or course module object this feeds belongs to
$instance - instance id. Could be blogid, forumid etc
$info - additonal information, which is used to accurately identify RSS feed. Can be array.

Authenticates user by hash-string in URL, sets up $USER and other necessary stuff(done by calling Moodle core function require_user_key_login()). Checks if the user can access particular course and module. Function terminates with error if user doesn't have access to course\module.

rss_get_url_key()

rss_get_url_key( $userid, $contextid, $modulename, $instance, $info)

$user - user id.
$contextid - the id of the context this feeds belongs to
$modulename - module name this feeds belongs to
$instance - instance id. Could be blogid, forumid etc
$info - additonal information, which is used to accurately identify RSS feed. Can be array.

Function returns long hash-like string, which can be used later to access specific RSS feed. Used when printing links.

Changes in RSS feed subsystem

No more Cron jobs for RSS feeds.
All feeds are generated on the fly (i.e. no cached .xml files)
In order to generate RSS feed, each module should implement two functions
1. rss_newstuff($instance, $time,&$cache, $info) - which checks if there is new stuff
2. rss_generate_feed($instance, $context, $info, $cache) - generates and returns XML rss contents

Interface mockups

RSS links on Course page

Calendar RSS links

Recent activity RSS feed preferences page

Tasks and Timeline

Further develop spec, get feedback, feel out implementation ✔
Implement core functions - 1-2w ✔
Secure existing RSS feeds in Moodle 1w ✔
1. Forums ✔
2. Blogs ✔
3. Database module ✔
4. Glossary ✔
Add option to force HTTPS for RSS feeds ✔
Add RSS to other areas of Moodle.
1. Calendar(Upcoming events) 1-2w ✔
2. Recent Activity 1-2w ✔
3. Assigments submitted 1w ✔
4. Messaging 1w ✔
Upgrade whole RSS subsystem. 1-3w
1. Each module should have own function, that checks if there are any changes. ✔
2. Use ETag and If-Modified-Since headers. ✔
3. Generate RSS content on the fly(no cache files, no rss cron jobs) ✔
4. ContextId ?
5. file.php (stub code?)
Extensive debugging - 1w
Submit code to Google
Optional tasks - 1-2w
1. Give user an ability to manage his private keys
2. Recent activity feed for course category/all courses
3. Fix RSS feed related issues submitted at Moodle Tracker

Glossary

Term	Definition
Hash value (also called a "digest" or a "checksum")	A concise representation of the longer message or document from which it was computed. The message digest is a sort of "digital fingerprint" of the larger document.
RSS feed	A family of Web feed formats used to publish all kind of frequently updated content, usually blog entries, news headlines, and podcasts. RSS proved to be very convenient and easy-to-use, fast–to-implement technology, which makes users more productive and saves a lot of time.
user_private_key	unique hash-like string used for user identification. Stored in database.

@@ Line 8: / Line 8: @@
 Secure RSS feeds is a project about making the RSS feeds published by Moodle secure so that only desired people can access the feeds. More details here.[http://code.google.com/soc/2008/moodle/appinfo.html?csaid=3141B6C0C1823EA1]
-Typical RSS URL will look like: “<nowiki>http://domain/moodle/rss/file.php/courseid/</nowiki><u>[[#hashkey|hash_key]]</u>user_id/modulename/instance/rss.xml”.
+Typical RSS URL will look like: “<nowiki>http://domain/moodle/rss/file.php/contextid/</nowiki><u>[[#hashkey|hash_key]]</u>user_id/modulename/instance/any/other/params/module/wants/rss.xml”.
 Where [[#hashkey|hash_key]] – special hash-string used to identify user.
@@ Line 21: / Line 21: @@
 # If hash-key is not specified, consider user as guest.
 # In current version of spec, hashes are not additionally salted.
-# Each user will have one user_private_key for RSS per course.
+# User private keys are tied to context id's.
 # There is an option to force https:// for all RSS feeds
@@ Line 27: / Line 27: @@
 ===rss_auth()===
-'''rss_auth($hash_key, $user_id, $course_id, $module, $instance, $info )'''
+'''rss_auth($hash_key, $user_id, $course_id, $context_id, $module, $instance, $info )'''
 * ''$hash_key'' - long hash-like string from URL.
 * ''$user_id'' - user id from URL
 * ''$course_id'' - the id of the course this feeds belongs to
+* ''$context_id'' - the id of the context this feeds belongs to
 * ''$module'' -  module name or course module object this feeds belongs to
 * ''$instance'' - instance id. Could be blogid, forumid etc
@@ Line 40: / Line 41: @@
 ===rss_get_url_key()===
-'''rss_get_url_key( $userid, $courseid, $modulename, $instance, $info)'''
+'''rss_get_url_key( $userid, $contextid, $modulename, $instance, $info)'''
 * ''$user'' - user id.
-* ''$courseid'' - the id of the course this feeds belongs to
+* ''$contextid'' - the id of the context this feeds belongs to
 * ''$modulename'' -  module name this feeds belongs to
 * ''$instance'' - instance id. Could be blogid, forumid etc
@@ Line 55: / Line 56: @@
 * In order to generate RSS feed, each module should implement two functions
 *# rss_newstuff($instance, $time,&$cache, $info) - which checks if there is new stuff
-*# rss_generate_feed($instance,&$cache,$info) - generates and returns XML rss contents
+*# rss_generate_feed($instance, $context, $info, $cache) - generates and returns XML rss contents

Documentation