Forums | Mahara Community
XMLRPC function: when do we need a token system
29 April 2009, 21:05
I'm implementing some new XMLRPC functions into Mahara.
get_file($username, $id) should exporta file. I wonder if I need to implement a token system as in send_content_ready(). I mean if the username is already tested against the remote host (find_remote_user), do we need a token for this specific transaction?
What could happen if there is no token checking?
29 April 2009, 22:07
Hi - what do you mean by 'is already tested against the remote host (find_remote_user)'. Are you saying that the remote system knows the username is valid and therefore should be able to call get_file safely, or are you saying something else?
Other question: at the time get_file is called, does the user have a SSO session started there? Or is that not always the case?
30 April 2009, 2:06
yes the SSO session always started before get_file is called.
As find_remote_user($username, $REMOTEWWWROOT) should return a remote site user, I consider the user as valid. But maybe I'm wrong? Is that not safe to call get_file() if the user is valid? I don't see a way to fake the user identity so it's why I wonder if the token system is necessary.
I don't mind at all to add a token checking. I just don't want to add stuff if it's not necessary.