Note: This page outlines ideas for the "Secure RSS feeds" project. It's a specification under construction! If you have any comments or suggestions, please add them to the page comments.

Status

This is a draft spec as part of the Google Summer of Code submission of Askars Salimbajevs (ghostinshell [at] gmail.com). It is preliminary and partial. Spec based on the "Secure RSS feeds" idea described in Talk:Student projects/Secure RSS feeds. Any feedback is welcome.

Summary

Secure RSS feeds is a project about making the RSS feeds published by Moodle secure so that only desired people can access the feeds. More details here.[1]

Typical RSS URL will look like: “http://domain/moodle/rss/file.php/courseid/hash_keyuser_id/modulename/instance/rss.xml”.

Where hash_key – special hash-string used to identify user.

User is identified by comparing part hash_key with the real hash value of user_id + user_private_key(from DB) + modulename + instance(from URL) concatenation.

If someone stole one private feed URL, he won’t be able to use it for reading other private feeds.

Security

1. Hash-key is a hash value from user_id, user_private_key, modulename (and other information, which is used to identify RSS feed) concatenation.
2. If hash-key is not specified, consider user as guest.
3. In current version of spec, hashes are not additionally salted.
4. Each user will have one user_private_key for RSS per course.
5. There is an option to force https:// for all RSS feeds

Core functions

rss_auth()

rss_auth($hash_key, $user_id, $course_id, $module, $instance, $info )

• $hash_key - long hash-like string from URL.
• $user_id - user id from URL
• $course_id - the id of the course this feeds belongs to
• $module - module name or course module object this feeds belongs to
• $instance - instance id. Could be blogid, forumid etc
• $info - additonal information, which is used to accurately identify RSS feed. Can be array.

Authenticates user by hash-string in URL, sets up $USER and other necessary stuff(done by calling Moodle core function require_user_key_login()). Checks if the user can access particular course and module. Function terminates with error if user doesn't have access to course\module.

rss_get_url_key()

rss_get_url_key( $userid, $courseid, $modulename, $instance, $info)

• $user - user id.
• $courseid - the id of the course this feeds belongs to
• $modulename - module name this feeds belongs to
• $instance - instance id. Could be blogid, forumid etc
• $info - additonal information, which is used to accurately identify RSS feed. Can be array.

Function returns long hash-like string, which can be used later to access specific RSS feed. Used when printing links.

Interface mockups

RSS links on Course page

Calendar RSS links

Recent activity RSS feed preferences page

Tasks and Timeline

• Further develop spec, get feedback, feel out implementation ✔
• Implement core functions - 1-2w ✔
• Secure existing RSS feeds in Moodle 1w ✔
  1. Forums ✔
  2. Blogs ✔
  3. Database module ✔
  4. Glossary ✔
• Add option to force HTTPS for RSS feeds ✔
• Add RSS to other areas of Moodle.
  1. Calendar(Upcoming events) 1-2w ✔
  2. Recent Activity 1-2w ✔
  3. Assigments submitted(for instructors) 1w
  4. Recent activity for course category/all courses 1-2w
  5. Messaging 1w
  6. ...
• Give user an ability to manage his private keys
• More flexible RSS enable/disable settings
• ETag and If-Modified-Since support
• Extensive debugging - 1w
• Submit code to Google
• Optional tasks - 1-2w
  1. Fix RSS feed related issues submitted at Moodle Tracker

Glossary

See also

• GSOC/2008
• Student projects
• Project discussion thread
• Issue Tracker issue related to project