[pmwiki-users] RSS feeds and passwords
Patrick R. Michaud
pmichaud at pobox.com
Mon Nov 12 12:20:21 CST 2007
On Mon, Nov 12, 2007 at 11:47:18AM -0600, Jon Haupt wrote:
> On Nov 12, 2007 11:10 AM, Patrick R. Michaud <pmichaud at pobox.com> wrote:
> > It depends on what you mean by "encrypted password". No matter
> > the form of the password (encrypted or cleartext), anyone who is
> > able to obtain the authpw= parameter of the url would be able to use
> > that value to access the RSS feed.
> > It is possible, however, to set up RSS-only passwords -- i.e.,
> > passwords that provide access to the RSS feed(s) but not to
> > anything else.
> Yeah, but they wouldn't have the actual password, so they wouldn't be
> able to use the encrypted value for anything but the RSS, right? I
> mean, you couldn't then use the encrypted value to edit a page, for
If you mean that ?action=rss should somehow decrypt the password
before verifying it, then perhaps. But this approach is still a
form of "RSS-only password" -- i.e., anyone seeing the encrypted form
of the password would be able to view RSS feeds but nothing else.
Another issue in dealing with encrypted passwords is that not
all PHP installations have encryption/decryption libraries installed,
so it wouldn't work on all systems. And for this application the
administrator would need to set a unique encryption key in the
configuration file and ensure that attackers can't view the
configuration file and thereby obtain the key. (And changing
the key would invalidate any existing encrypted passwords.)
> The nice thing about this approach is that the password may have read
> access to some (but not all) pages, simply through the usual way. If
> you create a RSS-only password, how would you ensure that someone with
> this password only had access to x page and not y or z? You'd have to
> specify this somehow, and that seems like it'd be duplicating
> work--unless there was a way to tie it to another (read) password.
Yes, having an RSS password that can be set on a per-page basis
would require creating a separate 'rss' authorization level, and
then using ?action=attr to set per-page rss passwords. Or it could
be set from per-page configuration files.
More information about the pmwiki-users