On Jun 16, 2010, at 09:31 PM, Fil wrote: >I see no mention of access control. Will we use OAuth or something?
Well, this is an interesting question <wink>. The way I've been thinking about it has been that the REST interface currently in the core engine is essentially an unprotected administrative interface. We would only ever expose it by default on localhost. For a publicly accessible REST front-end, we'd use OAuth and lock down permission based on privilege, but this would be a separate process and interface from the core. I know that's somewhat controversial but given the nightmarish complexity of lazr.restful and Zope's publisher, it was IMO an entirely justified architecture. With the switch to restish, it may be feasible to put security in the core. The tricky thing is doing this for end-user scripting while still allowing something like the webui to have unlimited, essentially root access. -Barry
signature.asc
Description: PGP signature
_______________________________________________ Mailman-Developers mailing list [email protected] http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
