On Mar 1, 2008, at 20:36 , Michael Stone wrote: >>> I thought since this dialog involves explicit user interaction this >>> is okay and not restricted by Rainbow? >> >> Oh, I thought you we proposing not using the object chooser at all? >> That's what I understood by "A work-around is to query the datastore >> directly and present the entries within your own UI".
Err, yes. I mistook your comment to apply to the dialog case. >>>> Which API do you suggest to add to ObjectChooser? I'm willing to >>>> look >>>> into this in the near future. >>> >>> I'd simply add a query parameter to the ChooseObject() DBus call. >>> Since no shipping activity uses this call directly AFAIK, it should >>> be okay at to do at this time. >> >> I think Bitfrost says that activities that wish to access other >> objects from the journal will need to ask for permission to read an >> specific object type. Michael, can you comment on this? > > See tickets #2328 and #3801 [1,2] for my existing comments. > > [1] http://dev.laptop.org/ticket/2328 > [2] http://dev.laptop.org/ticket/3801 The only comment relating to the ObjectChooser I could see was http://dev.laptop.org/ticket/2328#comment:15 But I can see what your concern is even in the read-only case - the chooser returns an object_id and then the activity uses the normal Datastore API to access it. This is a potentially risky two-step process. How about instead returning a secure token from the ObjectChooser that can only be used to read that specific entry? This would guarantee the user actually designated this exact object to be opened. - Bert - _______________________________________________ Sugar mailing list [email protected] http://lists.laptop.org/listinfo/sugar
