[Cosmo-dev] JSON-RPC considered harmful
Randy Letness
randy at osafoundation.org
Tue Dec 5 22:27:10 PST 2006
Brian Moseley wrote:
> as i told travis in irc earlier, i was envisioning simple anonymous
> json-rpc access to a separate url with just the methods needed for
> anonymous calendar viewing. all of these method signatures would
> include a ticket key and would do manual ticket authentication.
>
Yeah that's what I was thinking too, require the ticket as part of the
rpc call, and do a check as part of the rpc impl. With the way things
work now, isn't there still a problem of "hijacking" a collection
(provide valid creds to access /cosmo/JSON-RPC, but specify collection
in the body thats not yours)?
-Randy
More information about the cosmo-dev
mailing list