Forum OpenACS Development: Re: SOA? - Generic XML-RPC Bridge to Database API

Collapse
Posted by Torben Brosten on
Hi Frank,

The ecommerce auditing feature basically tracks changes that users and admins make to editable data, see: https://openacs.org/doc/ecommerce/audit and a discussion on making this service available to any package or user action: https://openacs.org/forums/message-view?message%5fid=456993

You ask: Do you refer to introducing permissions, similar to the ones of the PostgreSQL database user? Maybe read and write permissions per object?

The mapping/filtering would be in addition to any permissions that are implemented at the url level and object level (including checking for read/write/create/delete permission on a called object before taking action on it).

Creating a general service has the potential of making the website vulnerable to complete tcl api access in a manner similar to how developer-support provides tcl api access to admins, or user input fields are vulnerabilities for certain attacks by blue meanies etc. If there will be any user-level or package-admin level configurable services (which saves having to hard code each one), then there needs to be a way to screen calls before they get processed in any way --similar to how html and html attributes are screened in user input now.