Note: This page outlines ideas for the "Secure RSS feeds" project. It's a specification under construction! If you have any comments or suggestions, please add them to the page comments.

Status

This is a draft spec as part of the Google Summer of Code submission of Askars Salimbajevs (ghostinshell [at] gmail.com). It is preliminary and partial. Spec based on the "Secure RSS feeds" idea described in Talk:Student projects/Secure RSS feeds. Any feedback is welcome.

Summary

Secure RSS feeds is a project about making the RSS feeds published by Moodle secure so that only desired people can access the feeds. More details here.[1]

Typical RSS URL will look like: “http://domain/moodle/rss/file.php/courseid/hash_keyuser_id/modulename/instance/rss.xml”.

Where hash_key – special hash-string used to identify user.

User is identified by comparing part hash_key with the real hash value of user_id + user_private_key(from DB) + modulename + instance(from URL) concatenation.

If someone stole one private feed URL, he won’t be able to use it for reading other private feeds.

Security

1. Hash-key is a hash value from user_id, user_private_key, modulename (and other information, which is used to identify RSS feed) concatenation.
2. If hash-key is not specified, consider user as guest.
3. In current version of spec, hashes are not additionally salted.
4. Each user will have one user_private_key for RSS per course.
5. [OPTIONALY] There will be an option to force https:// for private RSS feeds

Core functions

rss_auth()

rss_auth($hash_key, $user_id, $course_id, $modulename, $instance, $info )

• $hash_key - long hash-like string from URL.
• $user_id - user id from URL
• $course_id - the id of the course this feeds belongs to
• $modulename - module name this feeds belongs to
• $instance - instance id. Could be blogid, forumid etc
• $info - additonal information, which is used to accurately identify RSS feed. Can be array.

Authenticates user by hash-string in URL, sets up $USER and other necessary stuff(done by calling Moodle core function require_user_key_login()). Checks if the user can access particular course and module. Function terminates with error if key is incorrect or user doesn't have access to course\module.

rss_get_url_key()

rss_get_url_key( $userid, $courseid, $modulename, $instance, $info)

• $user - user id.
• $courseid - the id of the course this feeds belongs to
• $modulename - module name this feeds belongs to
• $instance - instance id. Could be blogid, forumid etc
• $info - additonal information, which is used to accurately identify RSS feed. Can be array.

Function returns long hash-like string, which can be used later to access specific RSS feed. Used when printing links.

Interface mockups

Tasks and Timeline

• Further develop spec, get feedback, feel out implementation
• Implement core functions - 1-2w
• Secure existing RSS feeds in Moodle 1-2w
  1. Forums
  2. Blogs
  3. Database module
• Add RSS to other areas of Moodle.
  1. Calendar(Upcoming events) 3-4w
  2. Recent Activity
  3. Assigments submitted(for instructors)
  4. Recent activity for course category/all courses
  5. Messaging
  6. ...
• Extensive debugging - 1w
• Submit code to Google
• Additional optional tasks - 1-2w
  1. Add option to force SSL for private feeds
  2. Give user an ability to reset private URLs.
  3. Fix RSS feed related issues submitted at Moodle Tracker.

Glossary

See also

• GSOC/2008
• Student projects
• Project discussion thread