[Cosmo-dev] JSON-RPC considered harmful
Bobby Rullo
br at osafoundation.org
Tue Dec 5 22:45:59 PST 2006
That's not a problem with RPC now. Calendar paths are always resolved
relative to the current logged in user, so you can't specify a
collection that's outside your space - unless you can do something
like "../bcm/stuff" which I think we took care of already.
On Dec 5, 2006, at 10:27 PM, Brian Moseley wrote:
> On 12/5/06, Randy Letness <randy at osafoundation.org> wrote:
>
>> Yeah that's what I was thinking too, require the ticket as part of
>> the
>> rpc call, and do a check as part of the rpc impl. With the way
>> things
>> work now, isn't there still a problem of "hijacking" a collection
>> (provide valid creds to access /cosmo/JSON-RPC, but specify
>> collection
>> in the body thats not yours)?
>
> yes.
> _______________________________________________
> cosmo-dev mailing list
> cosmo-dev at lists.osafoundation.org
> http://lists.osafoundation.org/mailman/listinfo/cosmo-dev
More information about the cosmo-dev
mailing list