[MODDB] Smartfeed for phpBB 3

leanne.kwok · Post by **leanne.kwok** » Thu Oct 30, 2008 12:11 am

Hi. I'm new to php as well as phpbb. I was asked to setup a phpbb forum which supports RSS authentication via an authentication token. I was glad that I found this MOD and it works perfect! I would like to give a big thank you to Mark and all others who have contributed.

My forum is using CAS authentication (feature provided by the CasAuthLdapBB MOD @ http://www.phpbb.com/community/viewtopi ... 6&t=399977), and I had to make some modifications to Smartfeed to get it working.

CasAuthLdapBB allows users to login/logout via the CAS server, and it also grabs user information (user's name, email address, etc) from LDAP. This part here works very similar to the LDAP authentication provided by phpbb by default. I have had a read of bvrielink's post on querying the possibility of getting Smartfeed to work with LDAP authentication. I have some thoughts on it based on the observation of phpbb's behaviour with the CAS authentication, which might not be exactly the same for the LDAP authentication case - please correct me if I am wrong.

When a user first logs in to phpbb via CAS/LDAP, phpbb retrieves the user's account information including the password (encrypted), and stores them locally in the phpbb database. This persisted password can then be used to generate the authentication token as well as authenticate the user on a feed request. However, as far as I know, this phpbb persisted password will not get updated even if the one in LDAP changes(?), which then means that there is no way to invalidate a previously generated feed URL -> security issue

I will be doing work on synchronizing phpbb's user info with LDAP's later, so I decided to still go with this approach. Here are the changes that I've made to get Smartfeed working with the CAS authentication.

In smartfeed.php -
Find:

Code: Select all

		case 'ldap':

Add before:

Code: Select all

		case 'casldap':
			$registered_user = true;
			break;

The logout_casldap() method normally redirects the user to the CAS server logout page, but in here it outputs some html to the RSS xml file which makes it invalid. So I've changed it to skip the logout process for 'casldap'.

In smartfeed.php -
Find:

Code: Select all

	include_once($phpbb_root_path . 'includes/auth/auth_' . $method . '.' . $phpEx);

	$method = 'logout_' . $method;
	if (function_exists($method))
	{
		$method($user->data, $new_session);
	}

Replace with:

Code: Select all

	if ($method != 'casldap')
	{
		include_once($phpbb_root_path . 'includes/auth/auth_' . $method . '.' . $phpEx);

		$method = 'logout_' . $method;
		if (function_exists($method))
		{
			$method($user->data, $new_session);
		}
	}

This seems to work for now, but if anyone can suggest a better solution it would be much appreciated!

MarkDHamill · Post by **MarkDHamill** » Thu Oct 30, 2008 1:31 am

Hi. Glad to see experimentation in the area of LDAP, but I am still stymied because I don't see any way to retrieve the password from an LDAP database so it can be turned into an authentication token. I don't have LDAP installed but presumably the user_password column in the phpbb_users table is either blank or not to be trusted when LDAP is installed, as it is stored in LDAP, not the phpbb_users table, which means that the phpbb_users table is not an authoritative reference. The closest I could find looking at PHP LDAP functions and auth_ldap.php is this snippet of code in auth_ldap which is where a user entered password is passed to LDAP. It returns a set of rows. If there is a row, this apparently means the password is validated.

Code: Select all

	$ldap_result = @ldap_get_entries($ldap, $search);

	if (is_array($ldap_result) && sizeof($ldap_result) > 1)
	{
		if (@ldap_bind($ldap, $ldap_result[0]['dn'], htmlspecialchars_decode($password)))
		{
			@ldap_close($ldap);

			$sql ='SELECT user_id, username, user_password, user_passchg, user_email, user_type
				FROM ' . USERS_TABLE . "
				WHERE username_clean = '" . $db->sql_escape(utf8_clean_string($username)) . "'";
			$result = $db->sql_query($sql);
			$row = $db->sql_fetchrow($result);
			$db->sql_freeresult($result);

			if ($row)
			{
				unset($ldap_result);

				// User inactive...
				if ($row['user_type'] == USER_INACTIVE || $row['user_type'] == USER_IGNORE)
				{
					return array(
						'status'		=> LOGIN_ERROR_ACTIVE,
						'error_msg'		=> 'ACTIVE_ERROR',
						'user_row'		=> $row,
					);
				}

				// Successful login... set user_login_attempts to zero...
				return array(
					'status'		=> LOGIN_SUCCESS,
					'error_msg'		=> false,
					'user_row'		=> $row,
				);
			}

smartfeed_url.php simply encrypts the md5 hash of the password stored in the user_password column of the phpbb_users table and passes it to the template.

If you are doing something different please let me know. I would like to support LDAP for authenticated users, just don't understand how it is being done.

RobInk · Post by **RobInk** » Tue Nov 18, 2008 7:21 pm

MarkDHamill wrote:BTW, if you get it working and can send an exact list of changes you made to 2.2.3 please send them to me so I can include it in the /contrib folder. A number of people have wanted to get it to work with Joomla.

Mark,

We had a new style implemented, and after that I tried the latest release of the mod on our phpbb3forum again but I still have that error and the feed does not work.

Error ; limit parameter is either not present or is not an allowed value.

Part of my feed url is: /smartfeed.php?u=191&e=EB0ECKuDjcj0UrbZTybN9g8t5JpCqitdZt6rYPMhMJAf14PwjKPaRg..&lastvisit=1&forum=372&limit=LF&count_limit=25&sort_by=user&feed_type=RSS2.0&feed_style=HTML

Could you help me pin point the problem? I also disabled the htaccess protection but that was not it.

Thanks Robin

MarkDHamill · Post by **MarkDHamill** » Tue Nov 18, 2008 7:52 pm

Have you upgraded to version 2.2.4? I squashed the bug with the limit parameter but your URL looks fine.

I assume that you are integrating with Joomla?

RobInk · Post by **RobInk** » Tue Nov 18, 2008 8:03 pm

Hi,

I have indeed 2.2.4. installed. And the forum is running stand alone, no integration with Joomla!

Where do I check for that bug? Which file? Just in case one of the new files was not overwritten with FTP?

MarkDHamill · Post by **MarkDHamill** » Tue Nov 18, 2008 8:38 pm

Here is the code in smartfeed.php that generates the error message:

Code: Select all

// Determine if this is a public request. If so only public forums will be shown.
if ($user_id != ANONYMOUS && $encrypted_pswd != 'NONE')
{
	// Feed privileges are dependent upon the auth_method. This code makes this program consistent with smartfeed_url.php
	switch ($config['auth_method'])
	{
		case 'db':
			$registered_user = true;
			break;
		case 'apache':
			if ($config['sf_apache_htaccess_enabled'])
			{
				$registered_user = true;
			}
			else
			{
				handle_error('SMARTFEED_APACHE_AUTHENTICATION_WARNING_REG');
			}
			break;
		case 'ldap':
		default:
			$user_id = ANONYMOUS;
			$encrypted_pswd = 'NONE';
			break;
	}
}
else if (!(($user_id == ANONYMOUS) && ($encrypted_pswd == 'NONE')))
{
	// Logically if only the u or the e parameter is present, the URL is inconsisent, so generate an error.
	if ($user_id == ANONYMOUS)
	{
		handle_error('SMARTFEED_NO_U_ARGUMENT');
	}
	if ($encrypted_pswd == 'NONE')
	{
		handle_error('SMARTFEED_NO_E_ARGUMENT');
	}
}

If the URL identified the user as public, &limit=LF would not be allowed. So I would start there. What is the authentication method in the database?

Code: Select all

	switch ($config['auth_method'])

Since you are getting an error message, it is likely because you enabled Apache authentication. If so, make sure you go into the Smartfeed ACP interface and click the checkbox next to Apache .htaccess enabled for Smartfeed. Then submit. Of course you also have to make a change to the .htaccess file to allow smartfeed.php to bypass the authentication.

MarkDHamill · Post by **MarkDHamill** » Tue Nov 18, 2008 8:58 pm

Okay, I may be looking at the wrong code. This is generating the error message:

Code: Select all

// Get the limit parameter. It limits the size of the newsfeed to a point in time from the present, either a day/hour/minute interval, no limit
// or the time since the user's last visit. It should always exist. If it doesn't exist or the value passed is invalid, trigger an error.
// Please note that for public users no message older than SMARTFEED_DEFAULT_FETCH_TIME_LIMIT can actually be retrieved to avoid huge 
// newsfeeds and excessive strain on the database.
$time_limit = request_var('limit', '', true);
if ($registered_user && (!(in_array($time_limit, $smartfeed['SMARTFEED_TIME_LIMIT_REGISTERED']))))
{
	handle_error('SMARTFEED_LIMIT_FORMAT_ERROR');
}
if (!$registered_user && (!(in_array($time_limit, $smartfeed['SMARTFEED_TIME_LIMIT_UNREGISTERED']))))
{
	handle_error('SMARTFEED_LIMIT_FORMAT_ERROR');
}

I am betting $registered_user is false because if false, LF is not allowed as a parameter for limit. Public users have no last visit date, so LF is meaningless. However if the u and e parameters are present, $registered_user should be true.

And it would only be false if LDAP authentication is enabled or is if $config['auth_method'] is something other than db or apache.

What is the value of auth_method? You could use phpMyAdmin and browse the phpbb_config table to get the value.

RobInk · Post by **RobInk** » Wed Nov 19, 2008 8:11 am

Hi Mark,

Thanks again for the quick reply, I'll make sure to have a look at this today.

Here are my complete settings in the DB:

"sf_all_by_default";"1";"0"
"sf_apache_htaccess_enabled";"0";"0"
"sf_atom_10_value";"ATOM1.0";"0"
"sf_auto_advertise_public_feed";"1";"0"
"sf_default_fetch_time_limit";"720";"0"
"sf_feed_image_path";"imageset/site_logo.gif";"0"
"sf_max_items";"100";"0"
"sf_privacy_mode";"1";"0"
"sf_public_feed_url_suffix_atom";"feed_type=ATOM1.0&limit=%s&sort_by=%s&feed_style=%s&amp";"0"
"sf_public_feed_url_suffix_rss";"feed_type=RSS2.0&limit=%s&sort_by=%s&feed_style=%s&amp";"0"
"sf_require_ip_authentication";"0";"0"
"sf_rfc1766_lang";"en-GB";"0"
"sf_rss_10_value";"RSS1.0";"0"
"sf_rss_20_value";"RSS2.0";"0"
"sf_show_sessions";"0";"0"
"sf_show_username_in_first_topic_post";"1";"0"
"sf_show_username_in_replies";"1";"0"
"sf_smartfeed_host";"phpbbservices.com";"0"
"sf_smartfeed_page_url";"http://phpbbservices.com/smartfeed/";"0"
"sf_smartfeed_title";"phpBB Smartfeed";"0"
"sf_smartfeed_title_explain";"Access this board with a newsreader";"0"
"sf_smartfeed_title_short";"Smartfeed";"0"
"sf_suppress_forum_names";"0";"0"
"sf_ttl";"60";"0"
"sf_version";"2.2.4";"0"
"sf_webmaster";;"0"

RobInk · Post by **RobInk** » Wed Nov 19, 2008 8:41 am

I forgot auth-method;

auth_method, smf

Should be different I guess? We have been running an smf forum before, and performed a migration. Maybe a left over and needs to be changed?

RobInk · Post by **RobInk** » Wed Nov 19, 2008 8:49 am

Yes!

Thank you so much... pointing me to that authentication method did the trick. Set it to DB and now the mod seems to work. No actual feeds yet, just visited the forum of course, but no error message either.

Going to implement on the live forum now and see how that goes... thanks again for the support. I'll let you know once it is up and running.

MarkDHamill · Post by **MarkDHamill** » Wed Nov 19, 2008 1:14 pm

I am glad it is working. I've never seen an auth method of "smf" before. I assume you were trying out some sort of integration with another package.

jstegall · Post by **jstegall** » Thu Nov 20, 2008 7:11 pm

So hi. I have SmartFeed working in my forum and it looks like it will work very nicely for my needs, but only in the browser thus far. If I attempt to view the feed in Outlook 2007, for example, I get the following error:

An error occurred running phpBB Smartfeed. As a result, no content can be returned. Use this error information as a guide to correcting the problem. Please note that you must use this program to create a URL that can be used with phpBB Smartfeed. The error is: phpBB Smartfeed does not accept the feed_type parameter value given or the feed_type parameter is absent.

I'd love to hear if there is something I can do to fix this. I have run into this issue on other RSS modules, for what it's worth, and I have been unable to get Outlook to view a feed because it seems to attempt authentication.

Thanks,
Jon

MarkDHamill · Post by **MarkDHamill** » Thu Nov 20, 2008 7:29 pm

It is possible that Outlook is garbling the URL generated by Smartfeed, but more likely when you copied and pasted it, you may have deleted a character.

The URL should show a feed_type parameter with the only allowed values RSS2.0, RSS1.0 or ATOM1.0. If not one of these smartfeed.php will generate this error message.

jstegall · Post by **jstegall** » Thu Nov 20, 2008 7:38 pm

Hi Mark,

Thanks for the quick reply. The URL that I've generated and copied is

http://domain/smartfeed.php?&limit=NO_L ... style=HTML

I'm using Firefox, so I then asked to subscribe to the feed in Outlook and got the error.

Any other ideas?

Thanks again,
Jon

MarkDHamill · Post by **MarkDHamill** » Thu Nov 20, 2008 7:47 pm

Only thing I can think of is Outlook has some quirk that it strips or transforms parameters in URLs. The URL looks fine.

You might want to try it in another reader like Google Reader to verify the problem is with Outlook. There may be some sort of obscure Outlook setting you can enable to fix it. I don't use Outlook.

advertisements