RSS feeds and user permissions
|Reported by:||Owned by:||Jonas Borgström|
Unless I'm missing something fundamental, it doesn't appear that Trac supports the use of RSS feeds unless the anonymous user has permissions to view.
In the case that the page with the RSS feed requires an authenticated user, the user has to visit /trac/login (and enter the HTTP auth data) before the session cookie is set and Trac can tell who they are. If they haven't, Trac will return a 403 forbidden, then pop up the error page saying that they need to log in to view the selected page. So, in the case of a newsreader, they try some form of the url /trac/timeline?format=rss and get told they don't have permissions. They aren't prompted for permissions at this point because the Trac pages other than /trac/login rely on the session cookie, opposed to HTTP auth, and don't ask for it. The news reader doesn't deal with anything but RSS feeds and doesn't allow the user to auth.
I'm wondering if something of the following could be done to alleviate this:
Make a /rss?type=timeline style URL that will need HTTP auth directly, opposed to checking for the Trac session cookie. This way I can have my news reader prompt me for my user name and password. From there, it should have the info (just the username, I'd imagine) to check all the permissions on whether the user is able to see particular items.