[mapguide-internals] Please review RFC 103

Christine Bao Christine.Bao at autodesk.com
Wed Jul 14 03:50:10 EDT 2010 

Hi Jason,


1.       Are you sure that SetDocument() requires Administrator privileges? If so it's save to publish it.


2.       I copied from another reply:

     There is one similar operation in Studio named GetSiteProperties().

     It gets information about how long the server has been running, the number of connections, the server's version etc. The information is not from repository.

     Similar as GetDocument(), it needs the user information of current connect to open the service:

                        // Create ServerAdmin object

                        Ptr<MgServerAdmin> serverAdmin = new MgServerAdmin();

                        serverAdmin->Open(siteInfo->GetTarget(), m_userInfo);

     This call is frequently used in Studio, and I think it works for most user account. So GetDocument should not limit to high privilege user account also.

Thanks & regards,
Christine


From: Jason Birch <jason at jasonbirch.com>

Subject: Re: [mapguide-internals] Please review RFC 103

To: MapGuide Internals Mail List <mapguide-internals at lists.osgeo.org>

Message-ID:

      <AANLkTin1ktmcdXUam0x_1yVk6NtyN2J9vewuWsO5PMLy at mail.gmail.com>

Content-Type: text/plain; charset=ISO-8859-1



I would suggest that this kind of request should require author access AND

should not be available through the API at all when authoring is disabled in

webconfig.ini.  setDocument should require Administrator privileges.



I am not a big fan of allowing public access to configuration documents,

regardless of the seemingly innocuous nature of the information they

contain.



I guess the Fusion widget info calls access files outside of the repository.

 Are there any others?



Jason



On 13 July 2010 16:24, Tom Fukushima wrote:



> Along with SetDocument, what kind of user would be allowed access to this

> file? For example, since the RFC mentions the Studio user perhaps these

> operations only be available to someone with Author (or above) privileges.

>  Do we need a way to set security on this document so that we can restrict

> who can access it? I would hope not since that seems like overkill.

>

> Are there any other operations in MGOS that are similar to this (i.e.,

> access documents or information outside of the repository) in behavior?

>

>

More information about the mapguide-internals mailing list