Downloading public details of users as a guest
Sébastien Aperghis-Tramoni
sebastien at aperghis.net
Mon Apr 8 00:34:59 CEST 2013
Gabor Szabo wrote:
> On Tue, Apr 2, 2013 at 11:26 PM, Sébastien Aperghis-Tramoni
> <sebastien at aperghis.net> wrote:
>
>> It's a simple shared secret; the handler just checks if the key exists in the config:
>> » https://github.com/book/Act/blob/master/lib/Act/Handler/WebAPI.pm#L45
>>
>> And yes, you can define it in you local act.ini
>>
>>> I tried to configure the API key for the ILPW2013 but it seems my svn
>>> commits are not deployed
>>> to the live site. Is something broken on the act server or am I doing
>>> something wrong?
>>
>>
>> No, that's normal behavior: closed conference only get svn-updated once per day, at midnight.
>
> OK, so after waiting the right amount of time I see the site got
> updated and I can use the API_key with the ILPW2013 site.
Next time, don't hesitate to ping me on IRC so I svn update the repository.
> If I understand this correctly I still need to ask each conference
> organizer to add an API_key, right?
No, a user can be adde in the global Act configuration, and thus access the information from all conferences. Barbie has such an access for the YAPC Surveys.
> If they put a key in then anyone can get any of the fields listed in
> https://github.com/book/Act/blob/master/lib/Act/Handler/WebAPI.pm#L12
> including fields that are otherwise not public such as 'email',
> 'address', 'vat' and maybe a few others. (I am happy to see that
> passwd is not among them.)
>
> If that's true, can Act administrators still allow this without giving
> out private information?
Most of these information are hidden unless you have the appropriate right. Except probably the name if the pseudonymous flag is enabled. Act::Handler::WebAPI clearly needs to be modified in order to correctly honor the rights.
--
Sébastien Aperghis-Tramoni
Close the world, txEn eht nepO.
More information about the Act
mailing list