Obsolete:Student projects/Secure RSS feeds
Note: This page outlines ideas for the "Secure RSS feeds" project. It's a specification under construction! If you have any comments or suggestions, please add them to the page comments.
Status
This is a draft spec as part of the Google Summer of Code submission of Askars Salimbajevs (ghostinshell [at] gmail.com). It is preliminary and partial. Spec based on the "Secure RSS feeds" idea described in Talk:Student projects/Secure RSS feeds. Any feedback is welcome.
Summary
Secure RSS feeds is a project about making the RSS feeds published by Moodle secure so that only desired people can access the feeds. More details here.[1]
Typical RSS URL will look like: “http://domain/moodle/rss/file.php/courseid/hash_keyuser_id/modulename/instance/rss.xml”.
Where hash_key – special hash-string used to identify user.
User is identified by comparing part hash_key with the real hash value of user_id + user_private_key(from DB) + modulename + instance(from URL) concatenation.
If someone stole one private feed URL, he won’t be able to use it for reading other private feeds.
Security
- Hash-key is a hash value from user_id, user_private_key, modulename (and other information, which is used to identify RSS feed) concatenation.
- If hash-key is not specified, consider user as guest.
- In current version of spec, hashes are not additionally salted.
- Each user will have one user_private_key for RSS per course.
- There is an option to force https:// for all RSS feeds
Core functions
rss_auth()
rss_auth($hash_key, $user_id, $course_id, $module, $instance, $info )
- $hash_key - long hash-like string from URL.
- $user_id - user id from URL
- $course_id - the id of the course this feeds belongs to
- $module - module name or course module object this feeds belongs to
- $instance - instance id. Could be blogid, forumid etc
- $info - additonal information, which is used to accurately identify RSS feed. Can be array.
Authenticates user by hash-string in URL, sets up $USER and other necessary stuff(done by calling Moodle core function require_user_key_login()). Checks if the user can access particular course and module. Function terminates with error if user doesn't have access to course\module.
rss_get_url_key()
rss_get_url_key( $userid, $courseid, $modulename, $instance, $info)
- $user - user id.
- $courseid - the id of the course this feeds belongs to
- $modulename - module name this feeds belongs to
- $instance - instance id. Could be blogid, forumid etc
- $info - additonal information, which is used to accurately identify RSS feed. Can be array.
Function returns long hash-like string, which can be used later to access specific RSS feed. Used when printing links.
Interface mockups
Tasks and Timeline
- Further develop spec, get feedback, feel out implementation ✔
- Implement core functions - 1-2w ✔
- Secure existing RSS feeds in Moodle 1w ✔
- Forums ✔
- Blogs ✔
- Database module ✔
- Glossary ✔
- Add option to force HTTPS for RSS feeds ✔
- Add RSS to other areas of Moodle.
- Calendar(Upcoming events) 1-2w ✔
- Recent Activity 1-2w ✔
- Assigments submitted(for instructors) 1w
- Recent activity for course category/all courses 1w
- Messaging 1w
- ...
- Give user an ability to manage his private keys
- More flexible RSS enable/disable settings
- Extensive debugging - 1w
- Submit code to Google
- Optional tasks - 1-2w
- Fix RSS feed related issues submitted at Moodle Tracker
Glossary
Term | Definition |
Hash value (also called a "digest" or a "checksum") | A concise representation of the longer message or document from which it was computed. The message digest is a sort of "digital fingerprint" of the larger document. |
RSS feed | A family of Web feed formats used to publish all kind of frequently updated content, usually blog entries, news headlines, and podcasts. RSS proved to be very convenient and easy-to-use, fast–to-implement technology, which makes users more productive and saves a lot of time. |
user_private_key | unique hash-like string used for user identification. Stored in database. |