[Building Sakai] Question about some EB providers
Aaron Zeckoski
azeckoski at unicon.net
Tue Aug 10 12:16:56 PDT 2010
That's tricky because it doesn't make a lot of sense that it is OK for
someone to access the roster data sometimes and not OK at other times.
It almost sounds more like there is a security hole in forums rather
than there being a deficiency in the membership provider.
I don't really have a solution for you without knowing more about the
use case unfortunately. Just something to be aware of.
I wouldn't worry about the sample user directory provider too much.
-AZ
On Tue, Aug 10, 2010 at 2:53 PM, Maurer, Christopher Wayne
<chmaurer at iupui.edu> wrote:
> We're working on building out some functionality for message center here at IU to allow for use on mobile devices and have run into a couple of issues related to the entity broker providers.
>
> First, in the MembershipEntityProvider, it eventually finds it's way down to the getMembers method, and I'm failing the isAllowedAccessMembers check. Under normal circumstances, this is correct cause this user (student, etc) can't see the site roster, but in the case of message center, the user needs to see a list of users to send messages to. Is there some other way to get at this information through EB? I don't feel that good about creating a new method that skips the perm check, cause I don't want to open the door for people to get at data they aren't supposed to.
>
> Secondly, (this probably is only an issue on my local instance with the sample provider enabled, but I'd like to be sure), if I have a user in a site that comes from the sample provider, when the code gets to UserEntityProvider.getUserByIdEid(), the UDS can find no user. Most everything else seems to handle the sample users OK (that I've seen). Is this anything that I should be concerned about?
>
> Any suggestions on either of these issues would be great! Thanks.
>
> We're running 2.6-ish. We patch and customize lots of stuff, so it's hard to say what version it is!
>
> Chris
> _______________________________________________
> sakai-dev mailing list
> sakai-dev at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>
> TO UNSUBSCRIBE: send email to sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"
>
--
Aaron Zeckoski - Software Engineer - http://tinyurl.com/azprofile
More information about the sakai-dev
mailing list