This is a test site. Any changes will be lost!

Student projects/Secure RSS feeds: Difference between revisions

From MoodleDocs
← Older edit
VisualWikitext
No edit summary
 
(25 intermediate revisions by 2 users not shown)
Line 1: Line 1:
<p class="note">'''Note''': This page outlines ideas for the "Secure RSS feeds" project. It's a ''specification under construction''! If you have any comments or suggestions, please add them to the [[Talk:Student projects/Secure RSS Feeds|page comments]].''</p>
{{obsolete_design}}


<p class="note">'''Note''': This page outlines ideas for the "Secure RSS feeds" project. If you have any comments or suggestions, please add them to the [[Talk:Student projects/Secure RSS Feeds|page comments]].''</p>
{{Moodle 1.9}}
== Status ==  
== Status ==  


This is a draft spec as part of the Google Summer of Code submission of Askars Salimbajevs (ghostinshell [at] gmail.com). It is '''preliminary and partial'''. Spec based on the "Secure RSS feeds" idea described in [[Talk:Student projects/Secure RSS feeds]]. Any feedback is welcome.
Release candidate. All main objectives complete.  


==Summary==
==Summary==
Secure RSS feeds is a project about making the RSS feeds published by Moodle secure so that only desired people can access the feeds. More details here.[http://code.google.com/soc/2008/moodle/appinfo.html?csaid=3141B6C0C1823EA1]
Secure RSS feeds is a project about making the RSS feeds published by Moodle secure so that only desired people can access the feeds. More details here.[http://code.google.com/soc/2008/moodle/appinfo.html?csaid=3141B6C0C1823EA1]


Typical RSS URL will look like: “<nowiki>http://domain/moodle/rss/file.php/courseid/</nowiki><u>[[#hashkey|hash_key]]</u>user_id/modulename/instance/rss.xml”.  
Typical RSS URL will look like: “<nowiki>http://domain/moodle/rss/file.php/contextid/</nowiki><u>[[#hashkey|hash_key]]</u>user_id/modulename/instance/any/other/params/module/wants/rss.xml”.  


Where [[#hashkey|hash_key]] – special hash-string used to identify user.
Where [[#hashkey|hash_key]] – special hash-string used to identify user.
Line 21: Line 24:
# If hash-key is not specified, consider user as guest.  
# If hash-key is not specified, consider user as guest.  
# In current version of spec, hashes are not additionally salted.  
# In current version of spec, hashes are not additionally salted.  
# Each user will have one user_private_key for RSS per course.  
# User private keys are tied to context id's.
# There is an option to force https:// for all RSS feeds
# There is an option to force https:// for all RSS feeds


Line 27: Line 30:


===rss_auth()===
===rss_auth()===
'''rss_auth($hash_key, $user_id, $course_id, $module, $instance, $info )'''
'''rss_auth($hash_key, $user_id, $course_id, $context_id, $module, $instance, $info )'''


* ''$hash_key'' - long hash-like string from URL.
* ''$hash_key'' - long hash-like string from URL.
* ''$user_id'' - user id from URL
* ''$user_id'' - user id from URL
* ''$course_id'' - the id of the course this feeds belongs to
* ''$course_id'' - the id of the course this feeds belongs to
* ''$context_id'' - the id of the context this feeds belongs to
* ''$module'' -  module name or course module object this feeds belongs to
* ''$module'' -  module name or course module object this feeds belongs to
* ''$instance'' - instance id. Could be blogid, forumid etc
* ''$instance'' - instance id. Could be blogid, forumid etc
Line 40: Line 44:


===rss_get_url_key()===
===rss_get_url_key()===
'''rss_get_url_key( $userid, $courseid, $modulename, $instance, $info)'''
'''rss_get_url_key( $userid, $contextid, $modulename, $instance, $info)'''


* ''$user'' - user id.  
* ''$user'' - user id.  
* ''$courseid'' - the id of the course this feeds belongs to
* ''$contextid'' - the id of the context this feeds belongs to
* ''$modulename'' -  module name this feeds belongs to
* ''$modulename'' -  module name this feeds belongs to
* ''$instance'' - instance id. Could be blogid, forumid etc
* ''$instance'' - instance id. Could be blogid, forumid etc
Line 49: Line 53:


Function returns long hash-like string, which can be used later to access specific RSS feed. Used when printing links.
Function returns long hash-like string, which can be used later to access specific RSS feed. Used when printing links.
===RSS feed generation===
'''modulename_rss_newstuff($instance, $time,&$cache, $info)'''
This function checks if there is something new in module since $time
'''modulename_rss_generate_feed($instance, $context, $info, $cache)'''
This function generates and returns XML rss contents
==Changes in RSS feed subsystem==
* No more Cron jobs for RSS feeds.
* All feeds are generated on the fly (i.e. no cached .xml files)
Most of the times nothing changes in the feed - we do not have to send the actual feed content, we can just send HTTP 304 Not Modified header. And because no actual content is sent, this allows us to skip loading all capabilities, identifying users etc - improve performance.
It may be convenient to prefetch some data in rss_newstuff(), that's why $cache is used.
However, it duplicates rcache functionality a bit, so I'm thinking about removing it.
But there is a problem, when rss_new_stuff() result depends on what capabilities user has.
In this situation during newstuff() check we assume that user has all the necessary capabilites. If there are no changes since last feed fetching - send 304 Not Modified. Otherwise, do the real check during feed content generation.
==Database tables==
Fields added to existing tables.
===course===
{| border="1" cellpadding="2" cellspacing="0"
|'''Field'''
|'''Type'''
|'''Default'''
|'''Info'''
|-
|rsstype
|int(1)
|0
|0 - disabled. 1 - recent activity rss
|-
|rssarticles
|int(2)
|0
|number of recent articles in RSS feed
|}
===assigment===
{| border="1" cellpadding="2" cellspacing="0"
|'''Field'''
|'''Type'''
|'''Default'''
|'''Info'''
|-
|rsstype
|int(1)
|0
|0 - disabled. 1 - assignment submissions rss
|-
|rssarticles
|int(2)
|0
|number of recent articles in RSS feed
|}


==Interface mockups==
==Interface mockups==
Line 77: Line 145:
*# Calendar(Upcoming events) 1-2w ✔
*# Calendar(Upcoming events) 1-2w ✔
*# Recent Activity 1-2w ✔
*# Recent Activity 1-2w ✔
*# Assigments submitted(for instructors) 1w
*# Assigments submitted 1w
*# Recent activity for course category/all courses 1-2w
*# Messaging 1w ✔
*# Messaging 1w
* Upgrade whole RSS subsystem. 1-3w
*# ...
*# Each module should have own function, that checks if there are any changes. ✔
* Give user an ability to manage his private keys
*# Use ETag and If-Modified-Since headers.
* More flexible RSS enable/disable settings
*# Generate RSS content on the fly(no cache files, no rss cron jobs) ✔
* ETag and If-Modified-Since support
*# ContextId ✔
*# file.php (stub code) ✔
* Optional tasks - 1.5w
*# Give user an ability to reset his private keys
*# Recent activity feed for "My courses" ✔
* Extensive debugging - 1w
* Extensive debugging - 1w
* Submit code to Google
* End-term evaluation
* Optional tasks - 1-2w
*# Fix RSS feed related issues submitted at Moodle Tracker


== Glossary ==
== Glossary ==
Line 111: Line 181:
* [[Student projects]]
* [[Student projects]]
*[http://moodle.org/mod/forum/discuss.php?d=96026 Project discussion thread]
*[http://moodle.org/mod/forum/discuss.php?d=96026 Project discussion thread]
*[http://tracker.moodle.org/browse/MDL-15122 Issue Tracker issue related to project]
*[http://tracker.moodle.org/browse/MDL-15122 Tracker issue related to project]


[[Category:Project]]
[[Category:Project]]
[[Category:Developer|Feeds]]
[[Category:Developer|Feeds]]
[[Category:Feeds]]
[[Category:Feeds]]

Latest revision as of 14:23, 10 October 2008

This article is a design document which is no longer in use, the code it describes having been written and added to the Moodle codebase, or simply considered then abandoned. The information it contains is likely to be out of date, especially API and Database Schema specifications.


Note: This page outlines ideas for the "Secure RSS feeds" project. If you have any comments or suggestions, please add them to the page comments.

Moodle1.9


Status

Release candidate. All main objectives complete.

Summary

Secure RSS feeds is a project about making the RSS feeds published by Moodle secure so that only desired people can access the feeds. More details here.[1]

Typical RSS URL will look like: “http://domain/moodle/rss/file.php/contextid/hash_keyuser_id/modulename/instance/any/other/params/module/wants/rss.xml”.

Where hash_key – special hash-string used to identify user.

User is identified by comparing part hash_key with the real hash value of user_id + user_private_key(from DB) + modulename + instance(from URL) concatenation.

If someone stole one private feed URL, he won’t be able to use it for reading other private feeds.

Security

  1. Hash-key is a hash value from user_id, user_private_key, modulename (and other information, which is used to identify RSS feed) concatenation.
  2. If hash-key is not specified, consider user as guest.
  3. In current version of spec, hashes are not additionally salted.
  4. User private keys are tied to context id's.
  5. There is an option to force https:// for all RSS feeds

Core functions

rss_auth()

rss_auth($hash_key, $user_id, $course_id, $context_id, $module, $instance, $info )

  • $hash_key - long hash-like string from URL.
  • $user_id - user id from URL
  • $course_id - the id of the course this feeds belongs to
  • $context_id - the id of the context this feeds belongs to
  • $module - module name or course module object this feeds belongs to
  • $instance - instance id. Could be blogid, forumid etc
  • $info - additonal information, which is used to accurately identify RSS feed. Can be array.

Authenticates user by hash-string in URL, sets up $USER and other necessary stuff(done by calling Moodle core function require_user_key_login()). Checks if the user can access particular course and module. Function terminates with error if user doesn't have access to course\module.

rss_get_url_key()

rss_get_url_key( $userid, $contextid, $modulename, $instance, $info)

  • $user - user id.
  • $contextid - the id of the context this feeds belongs to
  • $modulename - module name this feeds belongs to
  • $instance - instance id. Could be blogid, forumid etc
  • $info - additonal information, which is used to accurately identify RSS feed. Can be array.

Function returns long hash-like string, which can be used later to access specific RSS feed. Used when printing links.


RSS feed generation

modulename_rss_newstuff($instance, $time,&$cache, $info) This function checks if there is something new in module since $time

modulename_rss_generate_feed($instance, $context, $info, $cache) This function generates and returns XML rss contents

Changes in RSS feed subsystem

  • No more Cron jobs for RSS feeds.
  • All feeds are generated on the fly (i.e. no cached .xml files)

Most of the times nothing changes in the feed - we do not have to send the actual feed content, we can just send HTTP 304 Not Modified header. And because no actual content is sent, this allows us to skip loading all capabilities, identifying users etc - improve performance.

It may be convenient to prefetch some data in rss_newstuff(), that's why $cache is used. However, it duplicates rcache functionality a bit, so I'm thinking about removing it.

But there is a problem, when rss_new_stuff() result depends on what capabilities user has. In this situation during newstuff() check we assume that user has all the necessary capabilites. If there are no changes since last feed fetching - send 304 Not Modified. Otherwise, do the real check during feed content generation.

Database tables

Fields added to existing tables.

course

Field Type Default Info
rsstype int(1) 0 0 - disabled. 1 - recent activity rss
rssarticles int(2) 0 number of recent articles in RSS feed


assigment

Field Type Default Info
rsstype int(1) 0 0 - disabled. 1 - assignment submissions rss
rssarticles int(2) 0 number of recent articles in RSS feed

Interface mockups

RSS links on Course page

Calendar RSS links

Recent activity RSS feed preferences page

Tasks and Timeline

  • Further develop spec, get feedback, feel out implementation ✔
  • Implement core functions - 1-2w ✔
  • Secure existing RSS feeds in Moodle 1w ✔
    1. Forums ✔
    2. Blogs ✔
    3. Database module ✔
    4. Glossary ✔
  • Add option to force HTTPS for RSS feeds ✔
  • Add RSS to other areas of Moodle.
    1. Calendar(Upcoming events) 1-2w ✔
    2. Recent Activity 1-2w ✔
    3. Assigments submitted 1w ✔
    4. Messaging 1w ✔
  • Upgrade whole RSS subsystem. 1-3w
    1. Each module should have own function, that checks if there are any changes. ✔
    2. Use ETag and If-Modified-Since headers. ✔
    3. Generate RSS content on the fly(no cache files, no rss cron jobs) ✔
    4. ContextId ✔
    5. file.php (stub code) ✔
  • Optional tasks - 1.5w
    1. Give user an ability to reset his private keys ✔
    2. Recent activity feed for "My courses" ✔
  • Extensive debugging - 1w
  • End-term evaluation

Glossary

Term Definition
Hash value (also called a "digest" or a "checksum") A concise representation of the longer message or document from which it was computed. The message digest is a sort of "digital fingerprint" of the larger document.
RSS feed A family of Web feed formats used to publish all kind of frequently updated content, usually blog entries, news headlines, and podcasts. RSS proved to be very convenient and easy-to-use, fast–to-implement technology, which makes users more productive and saves a lot of time.
user_private_key unique hash-like string used for user identification. Stored in database.

See also

Retrieved from "https://docs.moodle.org/test/index.php?title=Student_projects/Secure_RSS_feeds&oldid=45113"
Powered by MediaWiki