29 April 2009, 21:05

Hi,

I'm implementing some new XMLRPC functions into Mahara.

get_file($username, $id) should exporta file. I wonder if I need to implement a token system as in send_content_ready(). I mean if the username is already tested against the remote host (find_remote_user), do we need a token for this specific transaction?

What could happen if there is no token checking? 

29 April 2009, 22:07

Hi - what do you mean by 'is already tested against the remote host (find_remote_user)'. Are you saying that the remote system knows the username is valid and therefore should be able to call get_file safely, or are you saying something else?

Other question: at the time get_file is called, does the user have a SSO session started there? Or is that not always the case?

30 April 2009, 2:06

Hi Nigel,

yes the SSO session always started before get_file is called.

As find_remote_user($username, $REMOTEWWWROOT) should return a remote site user, I consider the user as valid. But maybe I'm wrong? Is that not safe to call get_file() if the user is valid? I don't see a way to fake the user identity so it's why I wonder if the token system is necessary.

I don't mind at all to add a token checking. I just don't want to add stuff if it's not necessary.