Private groups leaking via RSS

You probably have something set that shows the topics there, because I think that custom posts of type ‘topic’ are not shown in RSS feeds by default (but to be rechecked).
This is a function I use to disable all RSS. You could just add it in your functions.php or anywhere you like if you don’t want to add a plugin.

add_action( 'init', 'casiepa_remove_feeds', 99 );
function casiepa_remove_feeds() {
	// Disable all feeds
	foreach( array( '', '_rdf', '_rss', '_rss2', '_atom', '_rss2_comments', '_atom_comments' ) as $feed ) {
		add_action( 'do_feed' . $feed, 'casiepa_remove_feeds_error', 1);
	}
	// Show message
	function casiepa_remove_feeds_error() {
		wp_die( 'Feeds have been disabled.',
			'Feeds disabled',
			403
		);
	}

	// Remove <link rel="alternate" type="application/rss+xml" ... /feed/ />
	remove_action( 'wp_head', 'feed_links', 2 );

	// Remove <link rel="alternate" type="application/rss+xml" ... /comments/feed/" />
	remove_action( 'wp_head', 'feed_links_extra', 3 );

	// ??? It might be needed to flush the rewrite rules : flush_rewrite_rules();
}

That worked for now — thanks — I had beta product information in a private forum that leaked through this.

The real question is whether your plugin can be configured simply to block RSS feeds for private forums.

@dhjdhj – Hi I’m the plugin author. I freely confess I know little/nothing of RSS, but would be very happy to add a blocker if one is needed, and someone can help me with direction for code.

@casiepa – Pascal – any help you can give here would be very welcome

So please a couple of questions

1. is RSS of topics freely available on bbpress to logged in users, or @dhjdhj did your site have something that was enabling? in effect Pscal’s statement of “I think that custom posts of type ‘topic’ are not shown in RSS feeds by default (but to be rechecked).”

2. as a user how do I add this to my ‘feed’ – sorry probably a very dumb question, but as I said I know nothing of RSS – I have enough information overload already without needing to subscribe to more, so don’t use RSS.

3. Presume the ideal would be where a user gets the RSS feed of topics he is allowed to, but not stuff that should be blocked by Private groups plugin

3. @casiepa I presume that bbpress would block RSS from a bbpress private forum? If so do you know how, and maybe I could hook to that with an extra check

Apparently you can go to any wordpress site and at the top level just append /feed to the main URL to see the list of available feeds. E.g. if your domain is

https://www.foo.com

then just go to

https://www.foo.com/feed

Ooops — turns out that function did NOT work. Apparently there is also

https://www.yoursite.com/forums/feed

and that is still not blocked — I’m going to add a rewrite rule to block this for now

let us know how you are getting along.

I’m planning to look at this in detail early next week

I just created rewrite rules so that those feed URLs produce 403 errors

ok I’m hoping that I can figure out how to block private groups but let other forums/topics/replies through.

Not sure if that is of interest to you, but I’ll update this post for others

It absolutely is of interest. I would like the non-private threads in my forums to be accessible via RSS. This rewrite rule is (hopefully) a temporary solution

great – not sure if I’ll achieve , but it won’t be through not trying !

Understood — but if you can’t, I would encourage you to mention this somewhere — it’s a huge hole.

I’ve just done some initial testing, and I can’t immediately replicate this.

The feed excludes private group forums as I would expect

Can you describe a test for me that I can recreate eg

create a forum called x
set it as xx and yy with group permsissions of zz
create a topic in this forum

log into a feed with a not logged in user and you will see

set a user to have cc groups and xx access and show that in a feed they have no access to they can see.

Once I can replicate I can hopefully fix !

• This reply was modified 7 years, 3 months ago by Robin W.

@robin-w As I wrote above
You probably have something set that shows the topics there, because I think that custom posts of type ‘topic’ are not shown in RSS feeds by default (but to be rechecked).

I’m pretty sure another plugin or function is causing the topics/replies to be visible suddenly in the feed.
To play safe, you could always add a ‘pre_get_posts’ to exclude the private ones

function casiepa_exclude_filter($query) {
    if ( !$query->is_admin && $query->is_feed) {
        $query->set('post__not_in', array(YOUR_PRIVATE_POSTS) ); // id of page or post
    }
    return $query;
}
add_filter( 'pre_get_posts', 'casiepa_exclude_filter' );

ok, from testing so far on my test site, with a clean twentyten theme and just bbpress and bbp private groups

1. https://www.foo.com/feed does not show any topics or replies in any case I can find
2. https://www.foo.com/topics/feed does show topics
but only those that the user is entitled to see. The user will see topics if their browser is logged in on another tab, so if you have one tab logged in to your site and open another tab with https://www.foo.com/topics/feed, then it will see all that you as user can see. So if you are logged in as admin, then it will appear that it is leaky ! From my testing private groups correctly hides topics as needed.
3. Can’t get ‘https://www.foo.com/forums/feed’ or ‘https://www.foo.com/replies/feed’ to show anything

4. if you go into dashboard>settings>forums there is an option for how many topics and replies should be shown, so suspect that https://www.foo.com/topics/feed is expected, but not sure why ‘https://www.foo.com/replies/feed’ isn’t unless it is wrapped into the topics one. I’ll do some more digging.

5. I also need to check the subscribe functions – just in case using them is turning stuff on, although I do have a filter on them already from memory

@dhjdhj as @casiepa says- are you running something else that is making topics appear in the raw feed?

@casiepa thanks for your further input – always good to have you helping ?? bbpress has a function bbp_user_can_view_forum that seems to be used by the rss feed, and that is easily filterable, so I can lean on that if needed, but I’d prefer to check that it is needed before adding further filters to my plugin. I’d need to check what else is used by that function as well.

ok, I’m now buried in code.

The bbpress feeds get the topics/replies from the bbp_has_topics and bbp_has_replies functions, both of which I filter. There is a single topic element in there which doesn’t use those functions which I can filter, but I can’t yet see that it is ever called, and I suspect would need the user to know that the topic exists.

@dhjdhj would be good to hear back from you.