News:

SMF 2.1.4 has been released! Take it for a spin! Read more.

Main Menu

RSS using secret key and in context of a generic user

Started by Jamie96, April 12, 2015, 05:08:52 PM

Previous topic - Next topic

Jamie96

Scenario: I have a forum that is members only, and as such RSS feeds don't work. I would like to allow an eggdrop bot or even just a personal RSS app be able to get the RSS feed.

Could anyone point me in the right direct to, as simply as possible, allow the RSS feed to be displayed if a correct token is supplied in GET or some similar method?

Such that, http://example.com/index.php?action=.xml;type=rss [nofollow] fails as expected, but http://example.com/index.php?action=.xml;type=rss&token=E653C380D89 [nofollow] displays the RSS feed from the perspective of user Bob.

I'm not against a dirty hack if it's easier, I plan mostly to use this for an eggdrop bot on the local host, so sniffers and replay attacks are not really a concern. And even then, all it provides is a way to read, right? No less secure than making the forum guest readable to use RSS feeds regular.

Jamie96

OK, so I see how to bypass the guest lockout...just add my own action to index.php or add .xml action to guest access. Easy enough.

Now how to render the xml/rss in the perspective of a user? I'm thinking so far that I would have to override the user_info global? Thoughts?

margarett

I can think of a number of ways to do it, but all of them are quite hacky :P

1 - you duplicate all .xml actions, which should be quite laborious...
2 - you hack News.php to do what you want to (should be the most straightforward way as you should only need to hackishly change $user_info['query_see_board'])
3 - you hook a "fake autentication" to Load.php (there is a hook for it --> integrate_verify_user) where you check $_GET for action and that token, query the database to find the token and, if found, return the ID of the matched user. This can be a security risk, methinks (someone can impersonate an admin...)
Se forem conduzir, não bebam. Se forem beber... CHAMEM-ME!!!! :D

QuoteOver 90% of all computer problems can be traced back to the interface between the keyboard and the chair

Jamie96

Actually, going to use a combination of all three!

I have duplicated News.php to ExternalRSS.php, and added the action for it (action=erss2) to the index.php and to the guest allowed actions. Seems now all I have to do is install some basic token validation to ExternalRSS to verify I should $user_info['query_see_board'] = '1=1' and that should do it.

Why do these things always turn out to be easier than they look?

Advertisement: