On Wed, Jun 06, 2012 at 10:36:03AM -0700, Mark Diggory wrote: > On Wednesday, June 6, 2012, helix84 wrote: > > > > On Wed, Jun 6, 2012 at 5:31 PM, Mark Diggory > > <[email protected]<javascript:;>> > > wrote: > > > Now, the only important thing is that we want to be careful about > > exposing > > > policies that probably should not be known to the world in > > > OAI, Public Exports and DRI for unauthenticated users. Here we go, now > > we > > > have a good example of the need for Expressing "Access Controls" on > > > "Metadata Sections" in the metadata for all dialog. > > > > > Hmm, so there would be effectively "permission on access to list of > > permissions"? What would be the use case for hiding access to access > > policies? > > > Personally, I never thought it good to expose the DRI or METS used in > rendering the ui publically outside the ui. It... > > A) forces us to worry about questions like securing access to the content > used in rendering decisions that should not be shared with the world. > > B) conflates the content generation phase of the UI as a Public API... > Which it really shouldn't be. We do not guarantee any of these exposed > renderings as an API. > > Generally, it's rather insecure to expose the write permissions on > resources, your going to be telling any attackers the names of accounts or > groups of accounts to try to hack depending on those policies. Since they > have access to the code, they can work to find a vulnerability. There's > being open, then there's being foolhardy.
Those are debugging features. Maybe what we want here is a way to control who can get debug output? (Note: if we just configure it on/off globally, then there will be cases where someone needs to turn it on temporarily in a production system, which will expose it to everyone, which is what we want to prevent.) -- Mark H. Wood, Lead System Programmer [email protected] Asking whether markets are efficient is like asking whether people are smart.
pgpKMcP7ONo9m.pgp
Description: PGP signature
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ DSpace-tech mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dspace-tech
