[mapserver-dev] Version 8.0, more opt in and less opt out...

Steve Lime sdlime at gmail.com
Tue May 18 04:58:42 PDT 2021 

Hi Even: I'm not sure why "OWS" and "WFS" are in that list. A mode isn't
required for OWS services of course and so those values must represent a
special case or work around.  Perhaps another dev can weigh in - it's odd
to see just those two values. The current setup does seem to work as
expected and you can effectively do things like just support WMS GetMap
requests and nothing else - including traditional CGI requests.  You're
correct that if the incoming request doesn't contain a mode then mode
filtering doesn't happen. In that case, if the request isn't an OWS request
then the mode is set to BROWSE (
https://github.com/MapServer/MapServer/blob/c862b04cf690091995df40139a6be77a2ff72bce/mapservutil.c#L1770).
That value should probably be checked against ms_enable_modes again at this
point (https://github.com/MapServer/MapServer/issues/6323).

Regarding the other area, if you have a mapfile with 5 layers and only want
to allow runtime changes against one of them you have to do something like
this for each layer you don't want touched.

LAYER
  ...
  VALIDATION
    IMMUTABLE "any value"
  END
END

I don't think this approach makes sense and users should be able/required
to explicitly define what objects they want to allow runtime changes to via
the RFC 44 syntax. The validation "hack" doesn't work very well and isn't
fine grained. I think it would be much better to hang a boolean "mutable"
property (default = false) off objects that are candidates for this sort of
limited configuration and then only allow changes to those explicitly set
to true. The property would not cascade. That way a user could limit
changes to just a scalebar or to a single style in a layer - and nowhere by
default.

SCALEBAR
  ...
  MUTABLE TRUE # allow limited configuration at runtime
END

--Steve

On Mon, May 17, 2021 at 1:35 PM Even Rouault <even.rouault at spatialys.com>
wrote:

> Steve,
>
> Regarding modes, what would we do regarding OWS requests (I mean WMS, WCS,
> etc.) ? Would that be a mode that needs to be explicitly enabled ? I see in
> mapservutil.c that modeStrings[] contains OWS and WFS strings (which aren't
> documented in https://mapserver.org/fr/cgi/controls.html), but if the
> incoming request doesn't contain explicit MODE=OWS or MODE=WFS query
> parameters, mode filtering will not be triggered.
>
> I haven't understood what you meant with "immutable validation value" and
> what would change. Some example might be useful.
>
> Even
> Le 17/05/2021 à 19:58, Steve Lime a écrit :
>
> Hi all: MapServer has a number of ways to enable/disable CGI-based
> functionality. For example the *ows_enable_request* metadata (RFC 67),
> the  *ms_enable_modes* metadata (RFC 90) or the immutable validation
> value associated with runtime changes (RFC 44). The latter doesn't seem to
> be particularly well documented so folks probably don't know it's possible.
> Of these methods, only ows_enable_request requires users to opt in - you
> have to explicitly allow OWS services. The other methods require users to
> opt out. I think we should think about changing that in 8.0 and require
> explicit configuration by default, so:
>
>    1. Require *ms_enable_modes* be set before handling native MapServer
>    CGI requests or at least set a more limited default than all modes.
>    2. Consider objects as immutable by default and require users to
>    explicitly configure that at the object-level by adding. Would probably
>    need to extend the VALIDATION block to a few other objects such as
>    scalebars, reference maps and legends. The necessary changes are otherwise
>    not extensive.
>
> Note that I consider run-time substitutions as already being explicit
> since 1) validation is required and 2) users must denote substitution
> strings as appropriate. Thoughts?
>
> --Steve
>
>
>
> _______________________________________________
> mapserver-dev mailing listmapserver-dev at lists.osgeo.orghttps://lists.osgeo.org/mailman/listinfo/mapserver-dev
>
> -- http://www.spatialys.com
> My software is free, but my time generally not.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/mapserver-dev/attachments/20210518/93dd94f2/attachment.html>

More information about the mapserver-dev mailing list