Project

General

Profile

Idea #1904

Updated by Tom Clegg almost 10 years ago

Proposed approach This has two parts: 

 # Implement a special "Anonymous" group 
 * Owner creates a token scoped to #* Created automatically, much like the object being shared. _(Semantics "system group". uuid = @xyzzy-j7d0g-anonymouspublic@? 
 #* In permission checks, make sure @anonymous_group_uuid@ is always in the list of token scopes might need to be clarified: How do you say "read only" here?)_ readable groups. 
 * Use something like #* This should produce the existing @?api_token=@ behavior to embed desired result if someone shares an object with the token into the "link to share", but Anonymous group -- at least use a different name. Using a "share" link shouldn't interfere with a user's real login session. for users who are logged in. 

 # Adjust permission system so users can get "anonymous" privileges without even logging in. 
 * Propagate the token given #* Careful in the URL API server not to the "download" links on the collections#show page, so those links let anonymous user modify itself (or anything else normally allowed by permission system). 
 #* API server has to decide whether to say "please log in" or "just do stuff that anonymous user can be copied to do". (Perhaps "no token" = anonymous?) 
 #* Workbench has a @wget@ command line. similar problem: No session = anonymous? 

Back