Valid users get empty RSS for restricted categories

Reproduce:

  1. Be authenticated as a user with valid access to a restricted category such as: https://meta.discourse.org/c/lounge
  2. In the same session, view the RSS feed for that category, e.g., https://meta.discourse.org/c/lounge.rss

Expected results:

  • Topics for that category appear in the feed for valid users.
  • 404 for invalid/anonymous sessions.

Actual results:

  • No topics appear in the category RSS feed for valid users.
  • 404 for invalid/anonymous sessions.
2 Likes

Is there no fix for this bug yet?

I think the fix is to make the category not restricted.

Else I’m not seeing the use case for someone wanting to view a topic in RSS format while they’re logged into the forum and can see it as a page.

And if the category is restricted, letting it be an RSS feed external to the forum would defeat the intent of it being restricted, no?

What am I not seeing here?

Well, we have a chat too and a private channel for our team. It will be great if we can use rss to add automatically (via bot) new topics or posts from our restricted categories to our private channel, like we used to do for all the other (public) categories and the community channels.

Was this fixed here already @tgxworld?

https://github.com/discourse/discourse/commit/bc4087b9bb32c9b45ec3b41f9f60e0f36191b033

1 Like

Clicking here https://meta.discourse.org/c/lounge.rss it seems not fixed yet:

Ooh, that’s a data leak. I don’t think the category description for restricted categories is supposed to be public.

You’d have to utilize an API Key to get that to show anything right? (assuming that is supported)

So @Trash, if you have a user who has access to the restricted category and is assigned an API key, see if appending the api_username and api_key to the URL makes it return data.

Edit: I just tried passing an API username and key to a restricted category for an RSS feed and didn’t get the data, so it seems the RSS implementation isn’t looking for a key for validation. But the category json does return the detail.

1 Like

Don’t think so. That fix was for RSS poll feed.

We are looking good these days.

To add here a bit we also support user api keys and scoped api keys that can unlock secret rss integrations.