I’ve been evaluating Kanboard for use within our organization, love the simplicity and was getting it setup and configured in preparation for launch when I discovered the “Public Access” feature. Any user, regardless of permissions can enable an RSS feed, then, anyone with that link can see the feed. What that means, is if someone either inadvertently enables the feed and shares it out of convenience or someone decides to maliciously share it, The organization’s projects can be easily seen in the wild. It would be nice if this feature could be disabled by the admin for security reasons.
1 Like
A regular user can only enable his personal feed. To avoid this, I’d remove the Public access section from the users My profile sidebar.
Thanks for your feedback. The only way I see to do this is to make changes in the code which could be undone the next time an update for the app comes out. Am I missing something?
Of course you’re right. Nevertheless, I think it’s the easiest way. Personally, I’m keeping such patches at hand for fixing some annoyances. Currently none for Kanboard 
A possibly better way is writing a plugin that overloads the template in charge. But then you might run into other trouble.
Finally, the clean way might be securing the feed with authorization, even if it’s no longer public then.
1 Like