TWikiScripts suggests to protect rest
So our suggested http config should show this then
Will also update the
TWiki:TWiki.ApacheConfigGenerator
--
TWiki:Main/KennethLavrsen - 22 Aug 2007
<verbatim>
Lavr> <SvenDowideit> Lavr, wasn't the rest script supposed to be added to the
AuthScripts? - YES I added it to the apache auth. But not to the TWiki.spec because I was not sure about that.
<CDot> Lavr: it should
not be added to
AuthScripts in twiki.spec
<CDot> redirecting a rest script to a login page doesn't make much sense :-(
<Lavr> Good. Then I have not made anything wrong in that respect.
</verbatim>
I think I dissagree. Adding the rest script to {AuthScripts} does not redirect to login - because
RestCgi does not use UI::run - instead it implements its own set of oddities.
Releasing with
RestCgi having totally different security settings depending on the
LoginManager choice,
is a security issue waiting to happen, And one that I recon we can fix.
I propose ammending the code in rest, so that it works similarly to the UI::run (ie, if listed in {AuthScripts} it will refuse to continue), and to add the getSession bits so that the
?username
etc parameters are only needed if the user has not already got a session. (ok, i'll do it up to the point that major code changes are needed, and then cut our losses)
Crawford, Kenneth can you please comment?
-- TWiki/Main.SvenDowideit - 04 Sep 2007
I have never used rest - I have no clue how it works - so no oppinion from me. I reacted to a security email pointing to the fact that the documentation suggests to protect rest.
--
TWiki:Main.KennethLavrsen - 04 Sep 2007
Go for it. I split off
rest
from the normal
UI::run
process because of its unique requirements in the first place (the redirects were really screwing up my JS) so it should not be merged back; but it
should respect config settings.
--
TWiki:Main.CrawfordCurrie - 05 Sep 2007
done, both return error on no-auth, and using sessions if they exist.
--
TWiki:Main.SvenDowideit - 15 Sep 2007