The RSS feed for any collaboration is broken. You can see any data although you are not entitled to see it. My case is based on a user not loggeed in that can see any rss collaboration data. I haven't checked wether I can see collaborations rss when logged in but not member of "Who can view"-group. To recreate this case (done at demo.plainblack.com):
1. I created a collaboration at /demo/collaboration_test and commited content. The collaboration i set to "Who can view" to "Registered users" (and for all other security choices).
2. Added a post to the collaboration
3. Log out
4. Check the /demo/collaboration_test.rss and I can see the content although you should need to login to see the content.
/Erik
I am looking at this now. -LR
I can't seem to recreate this bug. Please let me know if I'm missing something.
1. Created collaboration system with "Who can view" set to "Admin"
2. Committed changes
3. Added a post
4. Added syndicated content, "URL to File" set for RSS file of collaboration system
5. Committed changes
6. Logged out
7. Clicked to view collaboration system thread and log-in screen appears (cannot view thread without log-in)
It's the RSS feed of the collaboration that the OP is talking about.
I'll take a look at this.
I have reproduced this, but there's an issue: There is no way to authenticate the RSS feed through WebGUI.
The only authentication method that works for the current RSS feed readers is HTTP Basic Auth, so you'd need a plugin that would map an HTTP Basic Auth to a WebGUI user.
Given that, restricting an RSS feed would work, so I'm going to fix this problem.
Fixed in 7.5.13. Closing as resolved.
Left a note in the gotchas for those who may have been relying on this buggy / insecure behavior.
