commit 5132ca97aa37c8cb92fd43f52e6a950d0e34fd62
Author: Ashley Holman <ashley@netspot.com.au>
Date:   Sat Mar 20 18:59:31 2010 +1030

    Implemented proof-of-concept tokens for secure RSS feeds.
    
    Requires a real implementation of token creation / validation.

diff --git a/lang/en_utf8/moodle.php b/lang/en_utf8/moodle.php
index e80f1a2..7ae9fbb 100644
--- a/lang/en_utf8/moodle.php
+++ b/lang/en_utf8/moodle.php
@@ -1412,6 +1412,7 @@ $string['roles'] = 'Roles';
 $string['rss'] = 'RSS';
 $string['rssarticles'] = 'Number of RSS recent articles';
 $string['rsserror'] = 'Error reading RSS data';
+$string['rsserrorauth'] = 'Your RSS link does not contain a valid authentication token.';
 $string['rsstype'] = 'RSS feed for this activity';
 $string['saveandnext'] = 'Save and show next';
 $string['savechanges'] = 'Save changes';
diff --git a/lib/rsslib.php b/lib/rsslib.php
index b5f9835..568c615 100644
--- a/lib/rsslib.php
+++ b/lib/rsslib.php
@@ -55,8 +55,9 @@ function rss_get_link($courseid, $userid, $modulename, $id, $tooltiptext='') {
  */
 function rss_get_url($courseid, $userid, $modulename, $id) {
     global $CFG;
+    $token = rss_get_token($userid);
     require_once($CFG->libdir.'/filelib.php');
-    return get_file_url($courseid.'/'.$userid.'/'.$modulename.'/'.$id.'/rss.xml', null, 'rssfile');
+    return get_file_url($courseid.'/'.$token.'/'.$modulename.'/'.$id.'/rss.xml', null, 'rssfile');
 }
 
 /**
@@ -303,7 +304,7 @@ function rss_standard_footer($title = NULL, $link = NULL, $description = NULL) {
  * to be sent when a rss is required (file.php)
  * and something goes wrong
  */
-function rss_geterrorxmlfile() {
+function rss_geterrorxmlfile($errortype = 'rsserror') {
     global $CFG;
 
     $return = '';
@@ -317,7 +318,7 @@ function rss_geterrorxmlfile() {
         $item->title       = "RSS Error";
         $item->link        = $CFG->wwwroot;
         $item->pubdate     = time();
-        $item->description = get_string("rsserror");
+        $item->description = get_string($errortype);
         $return .= rss_add_items(array($item));
     }
 
@@ -443,3 +444,15 @@ function rss_add_enclosures($item){
 
     return $returnstring;
 }
+
+function rss_get_userid_from_token($token) {
+  // TODO: return the real userid according to token
+  if ("$token" == "faketoken") {
+    return 3;
+  }
+}
+
+function rss_get_token($userid) {
+  // TODO: return the real token for this user
+  return 'faketoken';
+}
diff --git a/rss/file.php b/rss/file.php
index e986e55..8ee18e8 100644
--- a/rss/file.php
+++ b/rss/file.php
@@ -41,11 +41,16 @@ define('NO_MOODLE_COOKIES', true); // session not used here
     }
 
     $courseid   = (int)$args[0];
-    $userid     = (int)$args[1];
+    $token     = $args[1];
+    $userid    = rss_get_userid_from_token($token);
     $modulename = clean_param($args[2], PARAM_FILE);
     $instance   = $args[3];
     $filename   = 'rss.xml';
 
+    if (!$userid) {
+      rss_not_authenticated();
+    }
+
     if ($isblog = $modulename == 'blog') {
        $blogid   = (int)$args[4];  // could be groupid / courseid  / userid  depending on $instance
        if ($args[5] != 'rss.xml') {
@@ -114,3 +119,8 @@ define('NO_MOODLE_COOKIES', true); // session not used here
         send_file(rss_geterrorxmlfile(), $filename, $lifetime, false, true);
     }
 
+    function rss_not_authenticated() {
+        global $lifetime, $filename;
+        send_file(rss_geterrorxmlfile('rsserrorauth'), $filename, $lifetime, false, true);
+    }
+