-
2007-01-19
orion
I have ACLs set up on my site so that non-registered users cannot see many of the pages put up. However, if they look at the RSS feed for the site, every change is published with a description of the text typed. This breaches the security of the site. My suggestion is that the RSS feed only publishes pages that the group @ALL can see. When I have time, I'll see if I can come up with a patch for this (just a acl check using the group @ALL before putting a page in the feed, right?).
-
2007-01-19
gb
That's strange, I have several wikis with ACL protected pages or namespaces, none of them shows protected pages changes in its feed. I'm running either public release (2006-11-06) or current development revision.
Is your wiki accessible?
Cheers,
gb
-
2007-01-19
orion
Well, it shouldn't be accessible---that's the point :). I'll try to set up a copy of the development snapshot and see if I observe the same behavior.
Thanks for the almost immediate feedback.
-
2007-01-25
ChrisS
Can you advise your RSS settings and your ACL + Auth settings?
I have made a quick check of 2006-11-06 code, both RSS feed types should only pick up items that pass a "quickaclcheck". The feed cache is dependent on the user name - which if not set in the feed request will be equivalent to @ALL.