Issue 167: Timeline feed URL should only include auth token for private projects

Reported by Ciaran Gultnieks, Mar 24, 2009

Unless I misunderstand, there is no need to add an auth token to the 
timeline feed URL for a project unless the project is private. 
Currently it's added regardless, if the user is logged in.

This adds an unnecessary risk of the user accidentally exposing the 
token, and will also mean that the URL will become invalid if the 
user changes their password.

Comment 1 by Ciaran Gultnieks, Mar 24, 2009

Patch attached that makes it only add the token if the project is 
private, which I think is the correct logic.

0002-Only-add-token-to-timeline-feed-URL-if-project-is-pr.patch - 1.32 kB

Comment 2 by Loïc d'Anterroches, Mar 26, 2009

It is a bit more complicated as you need to take into account if a 
tab is available only to project members or admins. But the approach 
is good from a security point of view. 

I will push the check if needed or not in the IDF_Project object as 
it will be needed for the other feeds.

Comment 3 by Loïc d'Anterroches, Oct 8, 2009

Fixed in commit e5934e0, thanks for your patience. I have added the 
isRestricted method on the IDF_Project object to make the check.

Status: Fixed

InDefero