[Cosmo-dev] JSON-RPC considered harmful

[Brian Moseley]

On 12/5/06, Randy Letness <randy at osafoundation.org> wrote:

> Yeah that's what I was thinking too, require the ticket as part of the
> rpc call, and do a check as part of the rpc impl.  With the way things
> work now, isn't there still a problem of "hijacking" a collection
> (provide valid creds to access /cosmo/JSON-RPC, but specify collection
> in the body thats not yours)?

yes.