On 6/6/2012 12:36 PM, Mark Diggory wrote: > Personally, I never thought it good to expose the DRI or METS used in > rendering the ui publically outside the ui. It... > A) forces us to worry about questions like securing access to the > content used in rendering decisions that should not be shared with the > world. > > B) conflates the content generation phase of the UI as a Public API... > Which it really shouldn't be. We do not guarantee any of these exposed > renderings as an API. > Generally, it's rather insecure to expose the write permissions on > resources, your going to be telling any attackers the names of accounts > or groups of accounts to try to hack depending on those policies. Since > they have access to the code, they can work to find a vulnerability. > There's being open, then there's being foolhardy.
Admittedly though, it goes both ways. Not exposing this information in DRI/METS via the UI makes it more complex to develop complex Themes in XSLT. So, it is an extremely powerful tool for developers as they work to build new cool themes. However, I do agree that once you go into "Production" mode, there should be some way to turn this off publicly if you want to (e.g. limit DRI/METS access to localhost / certain trusted IPs). It may not always be desirable for the general public to be able to play around with any of your enabled DSpace Crosswalks to see what they can find. - Tim ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ DSpace-tech mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dspace-tech
