Secure RSS feeds using web tokens
Description
Testing Instructions
Automated test results
Pre-check results
Workaround
Attachments
has been marked as being related by
is duplicated by
Activity

Committed. I split the rss stuff used by managetokens.php out into /rss/renderer.php

As I wrote in the code I let you choose:
1- you can either create your render code wherever you want, and rss/renderer.php sounds good to me.
2- you can choose to add the RSS key into the current security key table (I fknow it's what Martin want but I would prefer separate it for coding reason), in this case you could have to modify the webservice renderer, that would be a bit ugly, but it would be better than mixing both into rss folder.
I prefer 1-

Patch attached that adds rss token reset to /user/managetoken.php
Should I split out the rss stuff into a separate renderer? Currently pretty much everything on that page is being rendered by webservices/renderer.php
Should I instead create /rss/renderer.php?
PS: there are a couple of little changes in navigationlib.php in the patch that I've made for an unrelated issue.

Just did a big commit. The RSS feeds are now driven of context id rather than course id. The user is identified by a token rather than their id. Also the feeds are generated and updated as needed rather than being done in batch by cron.php
All that's left now is adding a button so the user can get a new token if they think their token has been compromised.

Sorry to change this again Andrew but it's better we use the existing table user_private_key and the API it has.
Get a key (to display in RSS links) like this : $key = get_user_key('rss', $USER->id);
To get the user from a key:
if ($key = $DB->get_record('user_private_key', array('script'=>'rss', 'value'=>$keyvalue))) {
if (!$user = $DB->get_record('user', array('id'=>$key->userid))) {
print_error('invaliduserid');
}
}
And to set up the current "session" with $USER global with all capabilities etc (a little expensive so do it only when necessary):
/// emulate normal session
session_set_user($user);
/// note we are not using normal login
if (!defined('USER_KEY_LOGIN')) {
define('USER_KEY_LOGIN', true);
}
Clockify
Start / Stop
Clockify

If web services are enabled, then RSS feeds should implement security with a RSS webservice token.
(This issue is a new one that replaces the older effort at this from https://moodle.atlassian.net/browse/MDL-15122#icft=MDL-15122)