[oslc-core] Question on UI Preview - data refresh
Scott Bosworth
bosworth at us.ibm.com
Mon May 17 13:16:37 EDT 2010
Andy, from a security standpoint, the UI preview mechanism is no different
from any other resource fetch. Whether and what a consumer is authorized to
access is up to the provider to discern and the expectation is that the
HTTP GET request will result in a 4xx status code if the user is not
authorized to access the resource.
Ian and I chatted a bit about this in the RM workgroup call today. I think
his real concern was that some of the language I chose might be interpreted
to suggest that consumers are directed to update the resource based on
information received from the preview fetch. This is not at all what was
intended to be communicated. Instead, I was aiming at providing guidance on
whether consumer should use already available local information or the
information from the Compact representation in forming the hyperlink that
it will present to the end user. I will take a pass at improving that
language....Scott
Andrew J Berner/Dallas/IBM wrote on 05/17/2010 12:38:29 PM:
>
> Ian Green wrote:
>
> > > If the "improvement" to the link display is interpreted by a consumer
> > > implementer as "update the persisted representation of the provider's
> > > resource" then data may leak outside of the provider's security
model.
> and Scott Bosworth replied:
>
> >....The excerpted text talks about using
> > these properties "to improve and replace the default link display"
> > and does not reference anything about updating a persisted
> > representation of the resource.
>
> This confuses me....I think I understand Ian's original concern
> about "leaking" outside the provider's security model is that when I
> "got" the resource from the provider, maybe I could see the title,
> but not the description (because the description had details that
> I'm not privileged to see, for example).
>
> But is this then saying that the "hover" could contain that
> information, and isn't filtered by the same security rules? And
> that's ok as long as the hover info isn't persisted?
>
Scott Bosworth | IBM Rational CTO Team | bosworth at us.ibm.com | 919.486.2197
(w) | 919.244.3387(m) | 919.254.5271(f)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://open-services.net/pipermail/oslc-core_open-services.net/attachments/20100517/a74ce879/attachment-0003.html>
More information about the Oslc-Core
mailing list