Obsolete:Student projects/Secure RSS feeds: Difference between revisions
No edit summary |
|||
Line 8: | Line 8: | ||
Secure RSS feeds is a project about making the RSS feeds published by Moodle secure so that only desired people can access the feeds. More details here.[http://code.google.com/soc/2008/moodle/appinfo.html?csaid=3141B6C0C1823EA1] | Secure RSS feeds is a project about making the RSS feeds published by Moodle secure so that only desired people can access the feeds. More details here.[http://code.google.com/soc/2008/moodle/appinfo.html?csaid=3141B6C0C1823EA1] | ||
Typical RSS URL will look like: “<nowiki>http://domain/moodle/rss/file.php/ | Typical RSS URL will look like: “<nowiki>http://domain/moodle/rss/file.php/contextid/</nowiki><u>[[#hashkey|hash_key]]</u>user_id/modulename/instance/any/other/params/module/wants/rss.xml”. | ||
Where [[#hashkey|hash_key]] – special hash-string used to identify user. | Where [[#hashkey|hash_key]] – special hash-string used to identify user. | ||
Line 21: | Line 21: | ||
# If hash-key is not specified, consider user as guest. | # If hash-key is not specified, consider user as guest. | ||
# In current version of spec, hashes are not additionally salted. | # In current version of spec, hashes are not additionally salted. | ||
# | # User private keys are tied to context id's. | ||
# There is an option to force https:// for all RSS feeds | # There is an option to force https:// for all RSS feeds | ||
Line 27: | Line 27: | ||
===rss_auth()=== | ===rss_auth()=== | ||
'''rss_auth($hash_key, $user_id, $course_id, $module, $instance, $info )''' | '''rss_auth($hash_key, $user_id, $course_id, $context_id, $module, $instance, $info )''' | ||
* ''$hash_key'' - long hash-like string from URL. | * ''$hash_key'' - long hash-like string from URL. | ||
* ''$user_id'' - user id from URL | * ''$user_id'' - user id from URL | ||
* ''$course_id'' - the id of the course this feeds belongs to | * ''$course_id'' - the id of the course this feeds belongs to | ||
* ''$context_id'' - the id of the context this feeds belongs to | |||
* ''$module'' - module name or course module object this feeds belongs to | * ''$module'' - module name or course module object this feeds belongs to | ||
* ''$instance'' - instance id. Could be blogid, forumid etc | * ''$instance'' - instance id. Could be blogid, forumid etc | ||
Line 40: | Line 41: | ||
===rss_get_url_key()=== | ===rss_get_url_key()=== | ||
'''rss_get_url_key( $userid, $ | '''rss_get_url_key( $userid, $contextid, $modulename, $instance, $info)''' | ||
* ''$user'' - user id. | * ''$user'' - user id. | ||
* ''$ | * ''$contextid'' - the id of the context this feeds belongs to | ||
* ''$modulename'' - module name this feeds belongs to | * ''$modulename'' - module name this feeds belongs to | ||
* ''$instance'' - instance id. Could be blogid, forumid etc | * ''$instance'' - instance id. Could be blogid, forumid etc | ||
Line 55: | Line 56: | ||
* In order to generate RSS feed, each module should implement two functions | * In order to generate RSS feed, each module should implement two functions | ||
*# rss_newstuff($instance, $time,&$cache, $info) - which checks if there is new stuff | *# rss_newstuff($instance, $time,&$cache, $info) - which checks if there is new stuff | ||
*# rss_generate_feed($instance, | *# rss_generate_feed($instance, $context, $info, $cache) - generates and returns XML rss contents | ||
Revision as of 20:25, 26 July 2008
Note: This page outlines ideas for the "Secure RSS feeds" project. It's a specification under construction! If you have any comments or suggestions, please add them to the page comments.
Status
This is a draft spec as part of the Google Summer of Code submission of Askars Salimbajevs (ghostinshell [at] gmail.com). It is preliminary and partial. Spec based on the "Secure RSS feeds" idea described in Talk:Student projects/Secure RSS feeds. Any feedback is welcome.
Summary
Secure RSS feeds is a project about making the RSS feeds published by Moodle secure so that only desired people can access the feeds. More details here.[1]
Typical RSS URL will look like: “http://domain/moodle/rss/file.php/contextid/hash_keyuser_id/modulename/instance/any/other/params/module/wants/rss.xml”.
Where hash_key – special hash-string used to identify user.
User is identified by comparing part hash_key with the real hash value of user_id + user_private_key(from DB) + modulename + instance(from URL) concatenation.
If someone stole one private feed URL, he won’t be able to use it for reading other private feeds.
Security
- Hash-key is a hash value from user_id, user_private_key, modulename (and other information, which is used to identify RSS feed) concatenation.
- If hash-key is not specified, consider user as guest.
- In current version of spec, hashes are not additionally salted.
- User private keys are tied to context id's.
- There is an option to force https:// for all RSS feeds
Core functions
rss_auth()
rss_auth($hash_key, $user_id, $course_id, $context_id, $module, $instance, $info )
- $hash_key - long hash-like string from URL.
- $user_id - user id from URL
- $course_id - the id of the course this feeds belongs to
- $context_id - the id of the context this feeds belongs to
- $module - module name or course module object this feeds belongs to
- $instance - instance id. Could be blogid, forumid etc
- $info - additonal information, which is used to accurately identify RSS feed. Can be array.
Authenticates user by hash-string in URL, sets up $USER and other necessary stuff(done by calling Moodle core function require_user_key_login()). Checks if the user can access particular course and module. Function terminates with error if user doesn't have access to course\module.
rss_get_url_key()
rss_get_url_key( $userid, $contextid, $modulename, $instance, $info)
- $user - user id.
- $contextid - the id of the context this feeds belongs to
- $modulename - module name this feeds belongs to
- $instance - instance id. Could be blogid, forumid etc
- $info - additonal information, which is used to accurately identify RSS feed. Can be array.
Function returns long hash-like string, which can be used later to access specific RSS feed. Used when printing links.
Changes in RSS feed subsystem
- No more Cron jobs for RSS feeds.
- All feeds are generated on the fly (i.e. no cached .xml files)
- In order to generate RSS feed, each module should implement two functions
- rss_newstuff($instance, $time,&$cache, $info) - which checks if there is new stuff
- rss_generate_feed($instance, $context, $info, $cache) - generates and returns XML rss contents
Interface mockups
RSS links on Course page
Calendar RSS links
Recent activity RSS feed preferences page
Tasks and Timeline
- Further develop spec, get feedback, feel out implementation ✔
- Implement core functions - 1-2w ✔
- Secure existing RSS feeds in Moodle 1w ✔
- Forums ✔
- Blogs ✔
- Database module ✔
- Glossary ✔
- Add option to force HTTPS for RSS feeds ✔
- Add RSS to other areas of Moodle.
- Calendar(Upcoming events) 1-2w ✔
- Recent Activity 1-2w ✔
- Assigments submitted 1w ✔
- Messaging 1w ✔
- Upgrade whole RSS subsystem. 1-3w
- Each module should have own function, that checks if there are any changes. ✔
- Use ETag and If-Modified-Since headers. ✔
- Generate RSS content on the fly(no cache files, no rss cron jobs) ✔
- ContextId ?
- file.php (stub code?)
- Extensive debugging - 1w
- Submit code to Google
- Optional tasks - 1-2w
- Give user an ability to manage his private keys
- Recent activity feed for course category/all courses
- Fix RSS feed related issues submitted at Moodle Tracker
Glossary
Term | Definition |
Hash value (also called a "digest" or a "checksum") | A concise representation of the longer message or document from which it was computed. The message digest is a sort of "digital fingerprint" of the larger document. |
RSS feed | A family of Web feed formats used to publish all kind of frequently updated content, usually blog entries, news headlines, and podcasts. RSS proved to be very convenient and easy-to-use, fast–to-implement technology, which makes users more productive and saves a lot of time. |
user_private_key | unique hash-like string used for user identification. Stored in database. |