<div dir="ltr"><div>Hi Even: I'm not sure why "OWS" and "WFS" are in that list. A mode isn't required for OWS services of course and so those values must represent a special case or work around. Perhaps another dev can weigh in - it's odd to see just those two values. The current setup does seem to work as expected and you can effectively do things like just support WMS GetMap requests and nothing else - including traditional CGI requests. You're correct that if the incoming request doesn't contain a mode then mode filtering doesn't happen. In that case, if the request isn't an OWS request then the mode is set to BROWSE (<a href="https://github.com/MapServer/MapServer/blob/c862b04cf690091995df40139a6be77a2ff72bce/mapservutil.c#L1770">https://github.com/MapServer/MapServer/blob/c862b04cf690091995df40139a6be77a2ff72bce/mapservutil.c#L1770</a>). That value should probably be checked against ms_enable_modes again at this point (<a href="https://github.com/MapServer/MapServer/issues/6323">https://github.com/MapServer/MapServer/issues/6323</a>).</div><div><br></div><div>Regarding the other area, if you have a mapfile with 5 layers and only want to allow runtime changes against one of them you have to do something like this for each layer you don't want touched. </div><div><br></div><div>LAYER</div><div> ...</div><div> VALIDATION</div><div> IMMUTABLE "any value"</div><div> END</div><div>END</div><div><br></div><div>I don't think this approach makes sense and users should be able/required to explicitly define what objects they want to allow runtime changes to via the RFC 44 syntax. The validation "hack" doesn't work very well and isn't fine grained. I think it would be much better to hang a boolean "mutable" property (default = false) off objects that are candidates for this sort of limited configuration and then only allow changes to those explicitly set to true. The property would not cascade. That way a user could limit changes to just a scalebar or to a single style in a layer - and nowhere by default.</div><div><br></div><div>SCALEBAR</div><div> ...</div><div> MUTABLE TRUE # allow limited configuration at runtime</div><div>END</div><div><br></div><div>--Steve</div><div><br></div><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, May 17, 2021 at 1:35 PM Even Rouault <<a href="mailto:even.rouault@spatialys.com">even.rouault@spatialys.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>Steve,</p>
<p>Regarding modes, what would we do regarding OWS requests (I mean
WMS, WCS, etc.) ? Would that be a mode that needs to be explicitly
enabled ? I see in mapservutil.c that modeStrings[] contains OWS
and WFS strings (which aren't documented in
<a href="https://mapserver.org/fr/cgi/controls.html" target="_blank">https://mapserver.org/fr/cgi/controls.html</a>), but if the incoming
request doesn't contain explicit MODE=OWS or MODE=WFS query
parameters, mode filtering will not be triggered.</p>
<p>I haven't understood what you meant with "immutable validation
value" and what would change. Some example might be useful.<br>
</p>
<p>Even<br>
</p>
<div>Le 17/05/2021 à 19:58, Steve Lime a
écrit :<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi all: MapServer has a number of ways to
enable/disable CGI-based functionality. For example the <i>ows_enable_request</i>
metadata (RFC 67), the <i>ms_enable_modes</i> metadata (RFC
90) or the immutable validation value associated with runtime
changes (RFC 44). The latter doesn't seem to be particularly
well documented so folks probably don't know it's possible. Of
these methods, only ows_enable_request requires users to opt in
- you have to explicitly allow OWS services. The other methods
require users to opt out. I think we should think about changing
that in 8.0 and require explicit configuration by default, so:
<div>
<ol>
<li>Require <i>ms_enable_modes</i> be set before handling
native MapServer CGI requests or at least set a
more limited default than all modes.</li>
<li>Consider objects as immutable by default and require
users to explicitly configure that at the object-level by
adding. Would probably need to extend the VALIDATION block
to a few other objects such as scalebars, reference maps
and legends. The necessary changes are otherwise not
extensive.</li>
</ol>
Note that I consider run-time substitutions as already being
explicit since 1) validation is required and 2) users must
denote substitution strings as appropriate. Thoughts?</div>
<div><br>
</div>
<div>--Steve<br>
<div><br>
</div>
<div><br>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
mapserver-dev mailing list
<a href="mailto:mapserver-dev@lists.osgeo.org" target="_blank">mapserver-dev@lists.osgeo.org</a>
<a href="https://lists.osgeo.org/mailman/listinfo/mapserver-dev" target="_blank">https://lists.osgeo.org/mailman/listinfo/mapserver-dev</a>
</pre>
</blockquote>
<pre cols="72">--
<a href="http://www.spatialys.com" target="_blank">http://www.spatialys.com</a>
My software is free, but my time generally not.</pre>
</div>
</blockquote></div></div>