On Tue, May 27, 2008 at 4:14 PM, Brian Eaton <[EMAIL PROTECTED]> wrote:
> On Tue, May 27, 2008 at 9:55 AM, Louis Ryan <[EMAIL PROTECTED]> wrote: > > Another step we can take in the meantime is to forbid the use of > > opensocial_viewer_id and opensocial_owner_id from non-signed requests and > > even the existence of those values from non-signed requests to deter > folks > > from using them in untrustable ways. > > This sounds like (another) permanent scar on the opensocial APIs. > > How hard will it be for us to change the cache interface so it knows > about authentication types and which users data is keyed off of? > It's not too hard at all -- if nobody else does it, I can patch this in pretty trivially.
