aC forum: How do I lock it down so only logged in users can view projects etc?

Post #7 by Ilija Studen

Ilija Studen — Sun, 02 Sep 2007 06:06:21 UTC

Yes - the same way as someone needs a copy of your password to access the entire system :)

Token is generated randomly per user, it is changed every time user changes the password and RSS and iCal URL-s are generated for logged in user only. If you don't trust the system that everyone is using without any problems you can alter FeedController and make all actions unusable.

Post #6 by DanielX

DanielX — Sun, 02 Sep 2007 00:19:21 UTC

so does that mean that all anyone needs to hav access is to hav a copy of the rss link?

Post #5 by Ilija Studen

Ilija Studen — Fri, 31 Aug 2007 06:05:14 UTC

That is because authentication data is included in the URL.

Try to remove token variable from the URL, copy it to Opera and than try to login. Now try to guess your token.

Post #4 by DanielX

DanielX — Thu, 30 Aug 2007 20:38:58 UTC

That's reassuring - but i was able to copy the rss link to the Opera browser and it didnt ask me to log in, it just gave me direct access.

Post #3 by Ilija Studen

Ilija Studen — Thu, 30 Aug 2007 05:38:19 UTC

RSS links are protected with tokens so it is not true that anyone can access them.

Also, RSS is read-only technology. You cannot use RSS to alter or delete anything in activeCollab.

Have fun! :)

Post #2 by DanielX

DanielX — Thu, 30 Aug 2007 00:35:28 UTC

Also how do i take out the RSS links?

Post #1 by DanielX

DanielX — Thu, 30 Aug 2007 00:27:17 UTC

It seems anyone on the net can view what they like and add what they like anonymously... especially thru the RSS feed.

As I dont want outsiders ear-winging on clients etc, how do I make sure only account holders can get in?