[Cosmo-dev] JSON-RPC considered harmful
Brian Moseley
bcm at osafoundation.org
Thu Dec 7 11:11:22 PST 2006
On 12/7/06, Travis Vachon <travis at osafoundation.org> wrote:
> To that end, the approach we're currently looking at consists of
> allowing all traffic to /cosmo/json-rpc through the Acegi filtering
> level and doing user and ticket authentication/authorization within
> the JSON-RPC service methods.
well, not quite. we'll still use acegi to authenticate and authorize
requests to /cosmo/json-rpc:
* we'll allow anonymous access to /json-rpc as well as user access
* the existing rpc methods require a logged-in user and will
therefore have to include checks to make sure that precondition is met
(no anonymous access to these methods)
* those same rpc methods will have to make sure the logged-in user
can only operate against items that he owns
* new methods which use a ticket to access an item will manually
verify the ticket against the item without worrying if there is a
logged-in user or not
More information about the cosmo-dev
mailing list