Make Generate PDF link work when Feed Sharing is set to "Restricted"

[joshreisner]

Contact Details

No response

Requested Feature/Enhancment

In writing instructions to assist this user, I believe it's time to deprecate the concept of feed security.

This means:

• getting rid of &key=abc123 from meeting feeds
• never returning 401 Unauthorized
• remove the "Feed Management" section from the Settings page
• meetings feed URL meta tag always present

Why?

1. The concept is unnecessarily complex. See the topic above to see how it confuses users and how complex the instructions are
2. Feed security itself is against our goals. While we don't have examples of people using automated scripts to scrape meeting data from websites, this should be something that we actually encourage. Other sites are reposting AA meetings, the issue is that they're getting it wrong, because it's not automated. See this recent TiAA topic for background.
3. We want to decrease the surface area of the plugin overall, this means removing this type of non-critical logic

TSML Version

Latest (default)

Wordpress Version

Latest (default)

[tim-rohrer]

I believe this is too big of a change (affecting possibly hundreds of users) to take unilaterally by C4R, and it should involve broader community discussion with webmasters. Perhaps a public comment period of, say, three months?

It may take some education. As we’ve discussed in the past, I agree with this proposal, but believe we will end up fielding questions/pushback from too many people who either disagree or don’t understand.

We could start with:

• Convert this to a Discussion and frame as a public comment opportunity.
• Advertise through TIAA Forum and users we know from other fellowships with the link to the Discussion thread.
• Use our banner in TSML to announce the proposal and opportunity to comment.

[joshreisner]

@tim-rohrer good suggestions thanks. lets bring this first to GSO in our monthly meeting, then take it from there

[anchovie91471]

Since feeds can contain contact info with, potentially, name, phone number, and email address, isn’t this a potential security/anonymity issue?

[kiyote33]

I'm not sure when we quit generating the key for the private data source feed, but did we jump the gun oh that?

[joshreisner]

huh? we did not make any changes yet.

the feed only contains personal contact info if it's not private (the site chooses to display it publicly)

[anchovie91471]

huh? we did not make any changes yet.

the feed only contains personal contact info if it's not private (the site chooses to display it publicly)

Ok. Given that info, then to me it seems pointless to have the key. The feed being a reformatted version of what is already visible publicly, hiding it doesn’t serve a purpose I can think of.

[kiyote33]

@joshreisner I'm a little confused here! The Feed Sharing 'restricted' option no longer has a generated private data source URL with embedded key. If you try to access a restricted feed without a key you get rejected for security related reasoning. So, how does one get create a keyed feed URL if they have restricted turned on?

[joshreisner]

The Feed Sharing 'restricted' option no longer has a generated private data source URL with embedded key

i don't know what this means, could you rephrase?

i have set our demo site feed to "Restricted"

https://code4recovery.org/wp-admin/admin-ajax.php?action=meetings no longer works but
https://code4recovery.org/wp-admin/admin-ajax.php?action=meetings&key=2e506aa247ba9cc615226491e7c1e365 does

this is as it's always been, i'm not aware of any changes

[kiyote33]

My confusion comes from the second URL you posted. Where did you get the keyed URL from?

[kiyote33]

I see the answer to my question now. When you add apps to have access, the key is embedded in the link URL.

[joshreisner]

yes one must manually add authorized apps. no change there. seems like confirmation that this feature is very confusing and should be removed

[joshreisner]

i think after our "security incident" (perception that having a publicly-accessible CSV link is a security gap) i am not so sure we should disable all feed security.

perhaps there is an action here to create a PDF authorized app if the user clicks on Generate PDF when sharing is restricted. Going to re-name the issue accordingly