Do you speak WebGUI? Please help us translate WebGUI into your language.
The RSS feed for any collaboration is broken. You can see any data although you are not entitled to see it. My case is based on a user not loggeed in that can see any rss collaboration data. I haven't checked wether I can see collaborations rss when logged in but not member of "Who can view"-group. To recreate this case (done at demo.plainblack.com):
1. I created a collaboration at /demo/collaboration_test and commited content. The collaboration i set to "Who can view" to "Registered users" (and for all other security choices).
2. Added a post to the collaboration
3. Log out
4. Check the /demo/collaboration_test.rss and I can see the content although you should need to login to see the content.
/Erik
I am looking at this now. -LR
I can't seem to recreate this bug. Please let me know if I'm missing something.
1. Created collaboration system with "Who can view" set to "Admin"
2. Committed changes
3. Added a post
4. Added syndicated content, "URL to File" set for RSS file of collaboration system
5. Committed changes
6. Logged out
7. Clicked to view collaboration system thread and log-in screen appears (cannot view thread without log-in)
It's the RSS feed of the collaboration that the OP is talking about.
I'll take a look at this.
I have reproduced this, but there's an issue: There is no way to authenticate the RSS feed through WebGUI.
The only authentication method that works for the current RSS feed readers is HTTP Basic Auth, so you'd need a plugin that would map an HTTP Basic Auth to a WebGUI user.
Given that, restricting an RSS feed would work, so I'm going to fix this problem.
Fixed in 7.5.13. Closing as resolved.
Left a note in the gotchas for those who may have been relying on this buggy / insecure behavior.
