| Version 9 (modified by , 18 years ago) ( diff ) |
|---|
MapGuide RFC 20 - Obtain user, group, role information from MapGuide session id
This page contains a change request (RFC) for the MapGuide Open Source project. More MapGuide RFCs can be found on the RFCs page.
Status
| RFC Template Version | (1.0) |
| Submission Date | May 7, 2007 |
| Last Modified | Trevor Wekel Timestamp |
| Author | Trevor Wekel |
| RFC Status | not ready for review |
| Implementation Status | not implemented |
| Proposed Milestone | 1.2 |
| Assigned PSC guide(s) | |
| Voting History | |
| +1 | |
| +0 | |
| -0 | |
| -1 |
Overview
This RFC exposes existing functionality within MapGuide to allow the MapGuide session identifier to be used to obtain userid, group, and role information for the user associated with the session identifier.
Motivation
User, group and role information has to be currently maintained by the web applications. Adding this functionality will make web applications easier to develop and has been requested by a number of users.
Proposed Solution
Expose the API:
STRING MgUserInformation::!GetUserName() !MgByteReader* MgSite::!EnumerateGroups( CREFSTRING user, CREFSTRING role ); !MgStringCollection* MgSite::!EnumerateRoles( CREFSTRING user, CREFSTRING group );
Make the following internal changes:
Append the userid (hex encoded) to the session identifier when it is created. Modify permissions on EnumerateGroups and EnumerateRoles so that a user can enumerate his own groups and roles.
Implications
This RFC is strictly an API enhancement. Having the userid contained in the session identifier makes MapGuide a little less secure. However, stealing a session identifier will compromise the user so the damage has already been done.
Test Plan
Write a simple app to verify that standard users can access their own groups and roles. Also validate that non-Author and non-Admin users do not have access to other groups and roles.
Funding/Resources
Autodesk to provide resources / funding.
