On 02/08/2013 08:52 AM, Greg Wilkins wrote:
> On 8 February 2013 17:44, Greg Wilkins <gregw_at_intalio.com> wrote:
>> now is the time to speak up else we'll just be putting
>> another band aid on this thing!
> I know I've had my fair share to say on this topic, but I've look back
> at the history and realise that last time I advocated for a
> permissions based model was back in 2008 when Ron originally proposed
> the http-method-exception (not called http-method-omission) as a
> solution to this very issue.
>
> My full response is below where I argued that it was overly complex
> and did not meet the developers expectations. I think I can claim an
> "I told you so" as it has indeed not solved the problem. The problem
> was (and is) that developers don't really understand the security
> model, so adding layers of complexity is hardly going to fix that
> problem. We need a more intuitive security mode.
>
> The current proposal tires to provide a "solution" by allowing
> developers who don't understand the security model to just add a tag
> and it will all be OK! It does not encourage them or help them to
> understand the constraints they have. The true problem is the lack of
> understanding and allowing uncovered methods is only one symptom of
> that. I'm sure there are many other wrong security configurations due
> to this lack of understanding.
>
> If we really don't have time to finally come up with an understandable
> security model, then I don't think the current proposal is going to be
> any more successful that the last attempted fix. We should just add
> logging to educate users about the omission constraints already
> available and start work on a better model for the next iteration.
+1 [obviously]
But although I fully agree and trying to put another band aid on a so
called security system that is too limited to use, while still too
complex to understand, is ridiculous, I have to note they chose to care
about this non issue. So, at this point, it seems better to put in Ron's
proposed change and move on.
Rémy