= !MapGuide RFC 20 - Obtain user, group, role information from !MapGuide session id =

This page contains a change request (RFC) for the !MapGuide Open Source project.  
More !MapGuide RFCs can be found on the [wiki:MapGuideRfcs RFCs] page.


== Status == 
 
||RFC Template Version||(1.0)|| 
||Submission Date||May 7, 2007||
||Last Modified||Trevor Wekel [[Timestamp]]||
||Author||Trevor Wekel||
||RFC Status||draft||
||Implementation Status||pending||
||Proposed Milestone||1.2||
||Assigned PSC guide(s)||||
||'''Voting History'''||||
||+1||||
||+0||||
||-0||||
||-1||||
 
== Overview ==

This RFC exposes existing functionality within !MapGuide to allow the !MapGuide session identifier to be used to obtain userid, group, and role information for the user associated with the session identifier.

== Motivation ==

User, group and role information has to be currently maintained by the web applications.  Adding this functionality will make web applications easier to develop and has been requested by a number of users.

== Proposed Solution ==


Expose the API:

{{{
 STRING MgUserInformation::GetUserName()
 MgByteReader* MgSite::EnumerateGroups( CREFSTRING user, CREFSTRING role )
 MgStringCollection* MgSite::EnumerateRoles( CREFSTRING user, CREFSTRING group )
}}}

Make the following internal changes:

Append the userid (hex encoded) to the session identifier when it is created.  Modify permissions on !EnumerateGroups and !EnumerateRoles so that a user can enumerate his own groups and roles.

== Implications ==

This RFC is strictly an API enhancement.  Having the userid contained in the session identifier makes !MapGuide a little less secure.  However, stealing a session identifier will compromise the user so the damage has already been done.

== Test Plan ==

Write a simple app to verify that standard users can access their own groups and roles.  Also validate that non-Author and non-Admin users do not have access to other groups and roles.

== Funding/Resources ==

Autodesk to provide resources / funding.