Skip to main content
[idea] RSS feeds of private boards Started by emanuele · · Read 3063 times 0 Members and 1 Guest are viewing this topic. previous topic - next topic

[idea] RSS feeds of private boards

This is something that randomly comes up: access via feeds to a board not accessible to guests.

Of course it is not possible "by default", otherwise it would be just a security hole: people would be able to access topics that are usually not accessible.
But, I was thinking: what it we generate a user-specific (and maybe board-specific even though it looks a bit overkill) token to add to the url in order to allow a feed reader to consume the feed without need of login details?
The token may change when the password is changed, in order to ensure better control.

Now, the downsides:
1) bruteforce attacks - an attacker may start probing any combination of random strings to find one giving him access to an hidden board. This wouldn't be much different from a bruteforcing of the password, and similar protection mechanisms may be put in place: flood control. And maybe some little more sophisticated flood control, with check on the IP and access to multiple/different resources.
2) the token is part of the URL and if a member shares by mistake the URL somewhere there could be a leak. Not many ways to prevent that apart from education. There may be some ways to try to identify the likelihood of this situation: a valid referer (would mean the url has been published somewhere), "frequent" accesses from different IPs (potential symptoms of different people accessing the page) in different geo areas (another indicator).

Just a thought.
Bugs creator.
Features destroyer.
Template killer.