Allowing access to secure RSS feeds

Looking into it.

I tested rss feeds using RSSOwl. What I found was that if Authentication was set to HTTP-AUTH it would prompt me to enter a username and password. If HTML login form was enabled it would detect it as not being a valid feed.

But what I also found is that when I entered a valid username and password it would come up with a Redirect Error 302. After looking through the code I found that we only needed to redirect when a user was on the logout page else it would loop and log the user out again causing a loop. Up to now we just redirect after authentication regardless. But this caused RSSOwl some problems. So I added a check so now it only redirects if it is on the logout page else it just returns and the pages loads normally.

I don't know if this problem only exist with RSSOwl or if most RSS readers have this problem with redirects. The only question now is what if you have feeds that require authentication but you want to use the login form not HTTP-AUTH. That is a problem. If we can find a way to check if the requested path is a RSS feed and we could then conditionally always send the HTTP AUTH headers to the RSS readers and the HTML form for everything else. But I cant find a way to check if it is a RSS feed. Because modules are responsible for creating feeds any module could create a feed and the secures site module would not know if that it is a feed. We could check the path for keywords like rss.xml or /feed but we cant be 100% sure that it is a feed.

I committed the changes for unnecessary redirecting to head and 4.7. If you cant wait for the packages to be recreated. Hear is the code.

Replace line 185 in securesite.module with

    if (arg(0) != 'logout') { // only redirect if on logout page
      return;
    }
    securesite_goto();

I have thought of a manual way around this so we can use any Authentication method we want (HTTP AUTH or HTML form) by manually specifying your authenticated feeds like you do with "Bypass Login Filter Pages" and then your public feeds would be bypassed pages. If this is something people would want I can add it.

When comes to your problem. You want only some pages to use secure site and the rest for secure site to skip. What you need and makes sense is some options to the bypass filter pages section. Like Enabled on only the listed pages. and Enabled on every page except the listed pages.. I will look to add this in later as it would give the module more flexibility than just specifying pages to skip.

I committed to head and 4.7 options for bypass filter pages.

Filter Type: 
    Only the listed pages. 
    Every page except the listed pages.

You should use the second option. So it skips every page except your feeds. And in the pages textarea you should list all your feeds that you want to have authentication.

If that does not work for you please reopen this issue.

I see their was a problem when you had nothing in the "pages" textarea for "Every page except the listed pages." I fixed that in HEAD and 4.7. Please test again using version 1.2.2.20.

I'm using 1.2.2.19 and am having problems with this. In reality I only want to use securesite because I've seen no way to give access to rss readers to restricted content. This seems to be a module to protect the whole site, whereas I'm happy with protecting things with roles and TAC. I'm trying this module to give access to restricted RSS feeds. Is there another way to do this?

Assuming there isn't, the problem I ran into is that this doesn't seem to work with TAC. Can anyone confirm that?

Here's what I'm experiencing. I have 3 forums. One is public. The other two are protected by role and taxonomy using TAC. There are two roles, role A & B. One forum is for role A users, the other for B. Without securesite, a news reader only sees the open forum posts. That's good. With securesite a role B user can see posts from all three forums. If that same user logs in, they only see posts in the public and role B forum. And that is what it should be via the RSS aggregator too, but it isn't with secruresite. Is there another module that will do that? Am I missing something?

Thanks

@scafmac

When you refer to the "RSS aggregator" do you mean the drupal module or a separate piece of software. And What exactly is the problem with the feeds. Is it that the authenticated user can see more than they suppose to or that the securesite module is blocking a RSS reader from reading the feeds.

Please explain the problem more please. Is it a login issue or a access control issue.

I'm trying to get securesite to accomplish exactly what the original poster had in mind, but I sorely miss a README.TXT file with some how-to information.

Anyway, I did some experimenting, and tried the following:

1. set securesite to "Enabled with web browser HTTP-AUTH security", with or without "browser logout workaround" (doesn't make a difference -- what does this do anyway?)
2. selected "Every page except the listed pages" and entered user/*/subscriptions/feed into the textarea
3. used IE6 on a different computer to confirm that I can still access the public portion of the site, and I can also log into Drupal as before, logged out again
4. tried going to /user/6/subscriptions/feed, the login box came up, entered username/password for user/6
5. unfortunately, the login box comes up again, and again -- there's no way I can log in!
6. disable securesite from the first computer
7. go back to the second computer, cancel the login box, and there I find out that I'm logged in under user/6

Apparently, the authentication has worked, but the login box still comes up again. The exact same thing also happens with Firefox 2.0.

I did some more experimenting to try a Drupal core feed:

1. on the client PC, with securesite off, logged in, went to a forum (/taxonomy/term/7), looked at its feed at /taxonomy/term/7/0/feed (this shows up nicely in FF2, but not in IE6), back to /taxonomy/term/7
2. turned securesite on, added taxonomy/term/*/0/feed to the textarea
3. refreshed the client browser -- it displays the login box! I should still be logged in, and securesite should NOT put up the login box for /taxonomy/term/7!

Getting secure RSS feeds to work would be a great accomplishment, but so far I'm hitting a concrete wall...

Their are 2 things you need to check.

1.
Check that your user has the correct permissions. You need to give your users "access site" permissions.

2.
You need to check how your php is installed. If it is installed as CGI then you need to look at this issue http://drupal.org/node/28408 for a workaround.

Lastly the logout workaround should have a small description of what it does under the radio buttons. For more information see this issue http://drupal.org/node/21814

NaX,

Sorry on the poor description.

The aggregator I'm refering to is a non drupal news feed aggregator. I just want to use drupal as the source of the feeds.

The problem is that some content that role does not have access if they logged in to Drupal (based on the TAC module) is accessible via RSS and the securesite module. I want users in role B to have access to some protected content via RSS, but only content they would have access to when they were logged in.

Does that clarify or should I start over?

@11

1. Check that your user has the correct permissions. You need to give your users "access site" permissions.

Do you mean "access content"? All users have that, even the anonymous ones. However, I'm using the na_arbitrator module to limit access to some roles, and those are the ones that I'd like to give access to. The problem is that if they subscribe to a fee while logged in, it works fine, but as soon as they log out, it stops working and watchdog keeps logging access denied errors. I was hoping to use Secure Site to solve both of these problems.

2. You need to check how your php is installed. If it is installed as CGI then you need to look at this issue http://drupal.org/node/28408 for a workaround.

It's running as an Apache module.

Does the feed aggregator support http-auth. Securesite does not accept username and passwords being passed by the query-string. It only supports HTTP-AUTH and POST (html form).

Do you require submitting the username and password via the query-string. EG. http://www.example.com/?name=user&pass=password
I am not sure what the security risks would be of this kind of feature.

Are you able to get authentication to work at all using a browser. If not try using the HTML Form as well as HTTP-AUTH. The first step would be to get it work using a browser, once we have that working then we can work on authentication with a external aggregator or feed reader.

Thank you for your reply!

Does the feed aggregator support http-auth. Securesite does not accept username and passwords being passed by the query-string. It only supports HTTP-AUTH and POST (html form).

Are you able to get authentication to work at all using a browser. If not try using the HTML Form as well as HTTP-AUTH. The first step would be to get it work using a browser, once we have that working then we can work on authentication with a external aggregator or feed reader.

Yes, as mentioned in #10, at this point I'm doing all testing with browsers. IE6 doesn't properly support feeds, I just used it for testing the HTTP-AUTH part. FF2 beautifully displays the feed contents when opened as a web page. Both show the same authentication problem.

Do you require submitting the username and password via the query-string. EG. http://www.example.com/?name=user&pass=password
I am not sure what the security risks would be of this kind of feature.

I haven't looked into any feed aggregators other than Thunderbird yet, and TB natively supports HTTP-AUTH. AFAIK, the standard for embedding HTTP-AUTH credentials in a query string is http://user:password@www.example.com/, but I don't know what is common among aggregators. IAC, HTTP-AUTH is unencrypted, so security-wise it doesn't make much of a difference whether you put the plain-text password into the query string or not. Naive users might be tempted to pass such a query string on to someone else though.

Do you know how the website aggregators like Google and Yahoo work? Will they make every feed available to everyone? Will they make a protected feed available to the public if one of the users would give them a query string with access credentials?

Ok, I think its time to take a bottom to top approach.

1.
Disable securesite and check that feeds are accessible to the desired users and that the permissions are correct.

2.
Enable securesite and set it to use the html login form.

3.1
If 2 does not work, See 5

3.2
If 2 works then enable the http-auth (with or without the browser workaround, it doesn't matter)

4.1
If 3.2 works then we done. :)

4.2
If 3.2 does not work and php is installed as a module and not as CGI then see 5

5.
If your hosting allows it, setup an clean empty install of drupal 4.7 and then install securesite 4.7. Enable securesite for the entire site (no bypass filter pages) and see if you can login. Try it with both the login form and http-auth. If this works then the problem could be other modules, possibly access control modules. If it does not work then we need to look a little deeper.

When it comes to Google and yahoo aggregators. I have never used them before. I looked at Google Reader and it looks like a personal website aggregator, based on gmail. It should only make the feeds available to the user, but Google and yahoo are some of the biggest content providers in the world so I would double check these options before using them or recommending them to users.

1.
Disable securesite and check that feeds are accessible to the desired users and that the permissions are correct.

I'm not sure what you mean with "permissions are correct", but with securesite disabled, the logged in test user can see the feed in FF2. After logging out, the user gets the custom 403 error page, when he tries to access the feed.

2.
Enable securesite and set it to use the html login form.

Test user gets the HTML login form, but after entering the credentials gets the "Sorry. Unrecognized username or password." message. The entire site is now inaccessible...

Fortunately, I have the administrator open on another computer. After disabling securesite and refreshing the test user's browser, I find that the test user is logged in, so something has happened...

3.1
If 2 does not work, See 5

Ok

5.
If your hosting allows it, setup an clean empty install of drupal 4.7 and then install securesite 4.7. Enable securesite for the entire site (no bypass filter pages) and see if you can login. Try it with both the login form and http-auth. If this works then the problem could be other modules, possibly access control modules. If it does not work then we need to look a little deeper.

Tried that, same result. Neither the form nor the dialog let me get in, but upon disabling securesite, I'm logged in.

To check whether HTTP-AUTH works at all on my server, I installed httpauth, removed the "access content" permission from the anonymous user, refreshed the test browser to get an "Access denied" error, added the "?authenticate" to the url, and logged in smoothly. So, HTTP-AUTH seems to work.

When it comes to Google and yahoo aggregators. I have never used them before. I looked at Google Reader and it looks like a personal website aggregator, based on gmail. It should only make the feeds available to the user, but Google and yahoo are some of the biggest content providers in the world so I would double check these options before using them or recommending them to users.

I'm definitely not planning to use or recommend them, but when you open a feed in FF2, it offers to subscribe to the feed through Bloglines, My Yahoo, or Google-Reader, so some users will surely try those options...

I cant reproduce this problem, under every condition I have tested securesite it has worked.

Can you give me more info on your system. Things like OS, webserver and version and PHP version.

I have attached a patch that adds an extra message "Sorry. Access denied.". This message only comes up if a user was found but did not have the correct Permissions ('access site'). Try it and tell me if the message comes up when you try to login.

Have you tried to login using your root admin account. Does the root account also have a problem.

When you try to login and then disable securesite you say you are logged in. Try this, open the site on 2 browser or 2 computers. One logged in as your admin account and the other not logged in. Then go to the feed with your guest user, try to login. Go back to your admin and see if their was anything logged, like "Session opened" or "Login attempt failed"

Forgot to attach the patch.

Can you give me more info on your system. Things like OS, webserver and version and PHP version.

SuSE Linux 9.3, Plesk 8.01, Apache/2.0.53, PHP 4.3.10, Zend Engine v1.3.0

I have attached a patch that adds an extra message "Sorry. Access denied.". This message only comes up if a user was found but did not have the correct Permissions ('access site'). Try it and tell me if the message comes up when you try to login.

Yes, I get
* Sorry. Access denied.
* Sorry. Unrecognized username or password.

I traced out the $account->uid -- it's the correct value, but for some unknown reason, user_access() returns null...

Have you tried to login using your root admin account. Does the root account also have a problem.

I've tried it now -- the Drupal administrator can successfully log in through the form! And the log shows
   Session opened for <admin>.

When you try to login and then disable securesite you say you are logged in. Try this, open the site on 2 browser or 2 computers. One logged in as your admin account and the other not logged in. Then go to the feed with your guest user, try to login. Go back to your admin and see if their was anything logged, like "Session opened" or "Login attempt failed"

The log shows
   Login attempt failed for <user>

At this point I'm not messing with any feed, just trying to access /. After disabling securesite, the test user is again logged in, and if he logs out, he gets Access denied and the log shows
   Session closed for <user>.
   node denied access.

Yes, there's an unmatched
   Session closed for <user>.
without any preceding
   Session opened for <user>.

If the test user enters a bad password, he only gets
   Sorry. Unrecognized username or password.
but not the new message from your patch. The log shows the same
   Login attempt failed for <user>
but after disabling securesite and refreshing, the test user is not logged in.

From what you telling me the only reason it is not going through is that user_access('access site', $account) is returning false. That tells me that your user does not have the securesite permission of 'access site'.

The root user can access everything and that is why the root user is able to login. But normal users require to be allocated to a role that has the 'access site' permission.

Oh, now it finally dawns on me that "access site" is securesite's own access permission!!!

I didn't realize that securesite had its own "access control" section. You mentioned "access site" in #11, but I didn't look hard enough and thought you meant "access content". I tried to ask back in #13 and #17, but somehow we didn't communicate.

Anyway, with "access site" enabled, authorization works fine now. I have some additional issues, but I'll start a new thread.

Thank you for your help!

No problem.