Scenario: I have a forum that is members only, and as such RSS feeds don't work. I would like to allow an eggdrop bot or even just a personal RSS app be able to get the RSS feed.
Could anyone point me in the right direct to, as simply as possible, allow the RSS feed to be displayed if a correct token is supplied in GET or some similar method?
Such that, http://example.com/index.php?action=.xml;type=rss fails as expected, but http://example.com/index.php?action=.xml;type=rss&token=E653C380D89 displays the RSS feed from the perspective of user Bob.
I'm not against a dirty hack if it's easier, I plan mostly to use this for an eggdrop bot on the local host, so sniffers and replay attacks are not really a concern. And even then, all it provides is a way to read, right? No less secure than making the forum guest readable to use RSS feeds regular.
OK, so I see how to bypass the guest lockout...just add my own action to index.php or add .xml action to guest access. Easy enough.
Now how to render the xml/rss in the perspective of a user? I'm thinking so far that I would have to override the user_info global? Thoughts?
I can think of a number of ways to do it, but all of them are quite hacky :P
1 - you duplicate all .xml actions, which should be quite laborious...
2 - you hack News.php to do what you want to (should be the most straightforward way as you should only need to hackishly change $user_info['query_see_board'])
3 - you hook a "fake autentication" to Load.php (there is a hook for it --> integrate_verify_user) where you check $_GET for action and that token, query the database to find the token and, if found, return the ID of the matched user. This can be a security risk, methinks (someone can impersonate an admin...)
Actually, going to use a combination of all three!
I have duplicated News.php to ExternalRSS.php, and added the action for it (action=erss2) to the index.php and to the guest allowed actions. Seems now all I have to do is install some basic token validation to ExternalRSS to verify I should $user_info['query_see_board'] = '1=1' and that should do it.
Why do these things always turn out to be easier than they look?