wiki:MapGuideRfc20

Version 11 (modified by brucedechant, 18 years ago) ( diff )

--

MapGuide RFC 20 - Obtain user, group, role information from MapGuide session id

This page contains a change request (RFC) for the MapGuide Open Source project. More MapGuide RFCs can be found on the RFCs page.

Status

RFC Template Version(1.0)
Submission DateMay 7, 2007
Last ModifiedTrevor Wekel Timestamp
AuthorTrevor Wekel
RFC Statusdraft
Implementation Statuspending
Proposed Milestone1.2
Assigned PSC guide(s)
Voting History
+1
+0
-0
-1

Overview

This RFC exposes existing functionality within MapGuide to allow the MapGuide session identifier to be used to obtain userid, group, and role information for the user associated with the session identifier.

Motivation

User, group and role information has to be currently maintained by the web applications. Adding this functionality will make web applications easier to develop and has been requested by a number of users.

Proposed Solution

Expose the API:

 STRING MgUserInformation::GetUserName()
 MgByteReader* MgSite::EnumerateGroups( CREFSTRING user, CREFSTRING role )
 MgStringCollection* MgSite::EnumerateRoles( CREFSTRING user, CREFSTRING group )

Make the following internal changes:

Append the userid (hex encoded) to the session identifier when it is created. Modify permissions on EnumerateGroups and EnumerateRoles so that a user can enumerate his own groups and roles.

Implications

This RFC is strictly an API enhancement. Having the userid contained in the session identifier makes MapGuide a little less secure. However, stealing a session identifier will compromise the user so the damage has already been done.

Test Plan

Write a simple app to verify that standard users can access their own groups and roles. Also validate that non-Author and non-Admin users do not have access to other groups and roles.

Funding/Resources

Autodesk to provide resources / funding.

Note: See TracWiki for help on using the wiki.