[Mailman-Developers] PyCon 2009 sprint: Webinterface
Barry Warsaw
barry at list.org
Tue Mar 24 00:48:16 CET 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mar 23, 2009, at 10:55 AM, Patrick Ben Koetter wrote:
> Yes. It keeps everything in one place. I would have to work around the
> freemind mindmap flash fancy stuff though, which I've just fallen in
> love
> with. But let's not let this get in the way.
>
> How do we do it? Do I get write access to Mailman wiki?
You should have write access just by virtue of having an account on
the wiki. There are only a few pages that aren't generally writable
by every logged in user. If you're having a problem with a specific
page, let me know.
> We've thought about different client technologies too. That's the
> client
> technology part I wrote about in the wiki.
>
> Which we didn't discuss was fully authenticated access for the REST
> server by
> design. If I understand this correctly than any party that is able to
> communicate with the REST server will have full admin access to
> Mailman's data
> model. In other words: It's upon any REST client to protect the REST
> server
> from abuse.
That's basically correct.
> I feel a little uneasy not having the server control that itself
> unless we
> find a good way to control who may connect to the server or the
> server is able
> to identify valid clients by some client identity (ACL).
It depends on whether we view the REST API as a user feature or an
admin interface. I've always thought about it as the latter, but I'm
open to other opinions. OTOH, I think there's a lot of functionality
that a privileged process could need, that the general public won't
need at all. Another way to think about it is that there doesn't need
to be just one REST API.
>> What this means though is that when you deploy Mailman's REST
>> interface,
>> you must take care to protect it. You wouldn't want to expose it
>> to the
>> internet for example. You'd want to make sure that its interface is
>> accessibly on via your data center, or via localhost if you were
>> running
>> a turnkey standalone system.
>
> I was thinking of TLS client/server authentication for open
> networks. Not that
> I have spent time yet to find out if Python (REST) tools provide such
> functionality - I am sure it does, but given my low Python
> experience, I'd
> rather verify...
I'm not sure about this either.
Barry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
iEYEARECAAYFAknIH8AACgkQ2YZpQepbvXHdPACeOlFuUp985yiVMpDqcMUEjIyc
3rcAoJukYnubROsC9yK1SMt6KV7yjFBk
=yOAo
-----END PGP SIGNATURE-----
More information about the Mailman-Developers
mailing list