How do I remove/disable atom rss feed

Added by Gabe b over 6 years ago

I do not want the atom feed to be used or displayed within my instance as it appears that you don't need to login in to view the feed (if you know the feed url).

How can I do this?

Replies (11)

RE: How do I remove/disable atom rss feed - Added by Felix Schäfer over 6 years ago

Gabe b wrote:

I do not want the atom feed to be used or displayed within my instance as it appears that you don't need to login in to view the feed (if you know the feed url).

Yes and no: If you hit the feed URL without a key, you will only get publicly-viewable items. If you are logged in, the feed links get appended with a key that is unique to each user and thus Redmine shows only stuff that user can see for that feed.

How can I do this?

You can't.

RE: How do I remove/disable atom rss feed - Added by Gabe b over 6 years ago

Isn't this seen as being slightly insecure?

RE: How do I remove/disable atom rss feed - Added by Michael DeMan about 6 years ago

I agree. There is a minimum a perception of serious security problems whether the RSS implementation is secure or not?

A small thing like this is basically a deal-breaker for being able to use or recommend redmine.

RE: How do I remove/disable atom rss feed - Added by Mischa The Evil about 6 years ago

I don't think the current RSS implementation is insecure. Please provide an actual use-case where the implementation would become insecure with taking note of the comment by Felix.

RE: How do I remove/disable atom rss feed - Added by Michael DeMan about 6 years ago

Okay - I will do a bit of testing on the RSS feed with a sample private project and such.

RE: How do I remove/disable atom rss feed - Added by Mischa The Evil about 6 years ago

Please do. Please also give your feedback afterwards ;)

RE: How do I remove/disable atom rss feed - Added by Claudio Floreani almost 6 years ago

| I don't think the current RSS implementation is insecure. Please provide an actual use-case where the implementation would become insecure with taking note of the comment by Felix.

I think there is a security issue. If I share confidential information with some collaborators in the forum (for example) for a private project, without the Atom feed I know who logs in and who logs out and may in some way control a "leak" of information.
If the Atom feed cannot be disabled everyone who come into possession of this string (the atom url of the "activity" page) can view every private comment on the forum and know almost everything is going on from that moment on, and ever maliciously share it. Grabbing this URL can be as easy as being able to read the browser history, or the clipboard, or having access by some means to his mobile application to read feeds. It takes only a couple of minutes to grab the string and now we are all being spied without ever knowing it. Not to mention that having the user key can throw open the door to many other security jeopardies.

In my opinion please take into consideration the possibility of disabling the feed.

RE: How do I remove/disable atom rss feed - Added by Michael DeMan over 5 years ago

If nothing else - does anybody have a justification why it should not be allowed to optionally disable the RSS feed?

Whether somebody wants to disable it just because they do not want to use it or because they are concerned about security - either way it should be a simple configuration item? Ideally at both the global or per-project basis?

RE: How do I remove/disable atom rss feed - Added by Michael DeMan over 5 years ago

Also,

Unfortunately I have had not had time to test the RSS feed on public vs. private project basis - just realized I had said I would do that. Either way, some people may just not want it. I know for a fact I do not want it either for the company I have my day job at or for my personal projects. The former being more security related and the latter because I just do not want it there anyway.

RE: How do I remove/disable atom rss feed - Added by Ivan Rapekas almost 3 years ago

I listed logs and found that somebody can view my activity inside the private project via rss feeds, Redmine 2.5.3. I tried to comment a line:
user = User.find_by_rss_key(params[:key])
in file
./app/controllers/application_controller.rb
and as a result anonymous user is redirected to login page.

For madness security you may revoke read attribute from file
chmod -r ./app/views/common/feed.atom.builder
It will show error 500 page during access to rss.

(1-11/11)