Andy, from a security standpoint, the UI preview mechanism is no different from any other resource fetch. Whether and what a consumer is authorized to access is up to the provider to discern and the expectation is that the HTTP GET request will result in a 4xx status code if the user is not authorized to access the resource.
Ian and I chatted a bit about this in the RM workgroup call today. I think his real concern was that some of the language I chose might be interpreted to suggest that consumers are directed to update the resource based on information received from the preview fetch. This is not at all what was intended to be communicated. Instead, I was aiming at providing guidance on whether consumer should use already available local information or the information from the Compact representation in forming the hyperlink that it will present to the end user. I will take a pass at improving that language....Scott Andrew J Berner/Dallas/IBM wrote on 05/17/2010 12:38:29 PM: > > Ian Green wrote: > > > > If the "improvement" to the link display is interpreted by a consumer > > > implementer as "update the persisted representation of the provider's > > > resource" then data may leak outside of the provider's security model. > and Scott Bosworth replied: > > >....The excerpted text talks about using > > these properties "to improve and replace the default link display" > > and does not reference anything about updating a persisted > > representation of the resource. > > This confuses me....I think I understand Ian's original concern > about "leaking" outside the provider's security model is that when I > "got" the resource from the provider, maybe I could see the title, > but not the description (because the description had details that > I'm not privileged to see, for example). > > But is this then saying that the "hover" could contain that > information, and isn't filtered by the same security rules? And > that's ok as long as the hover info isn't persisted? > Scott Bosworth | IBM Rational CTO Team | [email protected] | 919.486.2197 (w) | 919.244.3387(m) | 919.254.5271(f)
