View Ticket
Not logged in
Ticket UUID: 9c8d43bfa6927905203200b118f7224542f3741b
Title: RSS permissions too strict
Status: Closed Type: Code_Defect
Severity: Minor Priority:
Subsystem: Resolution: Works_As_Designed
Last Modified: 2010-04-22 12:23:58
Version Found In: [7c37b46b12]
Description & Comments:
rss.c requires "okRead, okRdTkt and okRdWiki" in order to produce an RSS.

I want an anonymous user who can only read tickets and wiki to be able to get an RSS feed ... that is, I want the RSS to be useful even if I have restricted anonymous users to the minimum access.

From what I can see, "okRead" means the user can check-out. This seems unnecessary to me for someone to simply get an RSS feed.


drh added on 2010-04-21 23:43:46:
Looking at the code, i seems that one or more of okRead, okRdWiki, or okRdTkt is required to receive RSS. Are you sure you are looking at the latest code?

This was updated by [78a6270fdc6ee90ae2edeac25ec94f2004cf6624] on 2010-02-05.


ron added on 2010-04-22 03:18:39:
rss.c line 55:

if( !g.okRead && !g.okRdTkt && !g.okRdWiki )

It requires all permissions, not any of them.


ron added on 2010-04-22 03:19:57:
oh, sorry; that was a misread on my part.

Nevertheless, an anonymous user with low permissions cannot get an RSS feed. I'm just looking at the wrong spot for he probllem (and it's before my coffee)...


drh added on 2010-04-22 12:23:58:
I think that if permissions are relaxed to open up RSS further, it will start to "leak" information. As currently implemented, you must have check-out permission in order to get RSS information about check-ins, and you must have the ability to read wiki in order to get an RSS feed about wiki, and you must have the ability to read tickets in order to get RSS data on tickets. This seems like the right level of permissions to me.