[Mailman-Developers] REST API docs?
Barry Warsaw
barry at list.org
Wed Jun 16 21:41:41 CEST 2010
On Jun 16, 2010, at 09:31 PM, Fil wrote:
>I see no mention of access control. Will we use OAuth or something?
Well, this is an interesting question <wink>.
The way I've been thinking about it has been that the REST interface currently
in the core engine is essentially an unprotected administrative interface.
We would only ever expose it by default on localhost. For a publicly
accessible REST front-end, we'd use OAuth and lock down permission based on
privilege, but this would be a separate process and interface from the core.
I know that's somewhat controversial but given the nightmarish complexity of
lazr.restful and Zope's publisher, it was IMO an entirely justified
architecture. With the switch to restish, it may be feasible to put security
in the core. The tricky thing is doing this for end-user scripting while
still allowing something like the webui to have unlimited, essentially root
access.
-Barry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/mailman-developers/attachments/20100616/456ffe85/attachment.pgp>
More information about the Mailman-Developers
mailing list