On 2010-12-22 1:07, Christian Hammond wrote:
On Tue, Dec 21, 2010 at 6:18 PM, Oz Linden (Scott Lawrence)
<o...@lindenlab.com>  wrote:
Yes, a direct REST api that returned the url for a name would certainly be

Do you plan to make it possible to require authentication for the REST apis
in 1.6?  I'm currently running my server with anonymous access disabled
because enabling anon access made the REST query apis open.
What parts are you wanting to hide?

I have not done a comprehensive audit of what I can get ... I just noted that I could do an anonymous query of all the users including addresses and decided this was a bad idea.

I can absolutely see hiding user information (definitely the full
e-mail address, maybe partly the full name) and maybe the group e-mail
address when the user accessing it is anonymous. I don't know that
blocking the entire API is useful, though, if you're allowing
anonymous access to the site anyway.

The general idea is that an anonymous user should not be able to see anything through the REST API that they couldn't see on the HTML UI.

Want to help the Review Board project? Donate today at 
Happy user? Let us know at http://www.reviewboard.org/users/
To unsubscribe from this group, send email to 
For more options, visit this group at 

Reply via email to