Valid users get empty RSS for restricted categories


(Michael Downey) #1


  1. Be authenticated as a user with valid access to a restricted category such as: Discourse Meta
  2. In the same session, view the RSS feed for that category, e.g., Discourse Meta

Expected results:

  • Topics for that category appear in the feed for valid users.
  • 404 for invalid/anonymous sessions.

Actual results:

  • No topics appear in the category RSS feed for valid users.
  • 404 for invalid/anonymous sessions.

(Daniela) #2

Is there no fix for this bug yet?

(Mittineague) #3

I think the fix is to make the category not restricted.

Else I’m not seeing the use case for someone wanting to view a topic in RSS format while they’re logged into the forum and can see it as a page.

And if the category is restricted, letting it be an RSS feed external to the forum would defeat the intent of it being restricted, no?

What am I not seeing here?

(Daniela) #4

Well, we have a chat too and a private channel for our team. It will be great if we can use rss to add automatically (via bot) new topics or posts from our restricted categories to our private channel, like we used to do for all the other (public) categories and the community channels.

(Jeff Atwood) #5

Was this fixed here already @tgxworld?

(Daniela) #6

Clicking here it seems not fixed yet:

(Kane York) #7

Ooh, that’s a data leak. I don’t think the category description for restricted categories is supposed to be public.

(cpradio) #8

You’d have to utilize an API Key to get that to show anything right? (assuming that is supported)

So @Trash, if you have a user who has access to the restricted category and is assigned an API key, see if appending the api_username and api_key to the URL makes it return data.

Edit: I just tried passing an API username and key to a restricted category for an RSS feed and didn’t get the data, so it seems the RSS implementation isn’t looking for a key for validation. But the category json does return the detail.

(Alan Tan) #9

Don’t think so. That fix was for RSS poll feed.