Downloading public details of users as a guest

Sébastien Aperghis-Tramoni sebastien at aperghis.net
Mon Apr 8 00:34:59 CEST 2013


Gabor Szabo wrote:

> On Tue, Apr 2, 2013 at 11:26 PM, Sébastien Aperghis-Tramoni
> <sebastien at aperghis.net> wrote:
> 
>> It's a simple shared secret; the handler just checks if the key exists in the config:
>> » https://github.com/book/Act/blob/master/lib/Act/Handler/WebAPI.pm#L45
>> 
>> And yes, you can define it in you local act.ini
>> 
>>> I tried to configure the API key for the ILPW2013 but it seems my svn
>>> commits are not deployed
>>> to the live site. Is something broken on the act server or am I doing
>>> something wrong?
>> 
>> 
>> No, that's normal behavior: closed conference only get svn-updated once per day, at midnight.
> 
> OK, so after waiting the right amount of time I see the site got
> updated and I can use the API_key with the ILPW2013 site.

Next time, don't hesitate to ping me on IRC so I svn update the repository.

> If I understand this correctly I still need to ask each conference
> organizer to add an API_key, right?

No, a user can be adde in the global Act configuration, and thus access the information from all conferences. Barbie has such an access for the YAPC Surveys.

> If they put a key in then anyone can get any of the fields listed in
> https://github.com/book/Act/blob/master/lib/Act/Handler/WebAPI.pm#L12
> including fields that are otherwise not public such as 'email',
> 'address', 'vat' and maybe a few others. (I am happy to see that
> passwd is not among them.)
> 
> If that's true, can Act administrators still allow this without giving
> out private information?


Most of these information are hidden unless you have the appropriate right. Except probably the name if the pseudonymous flag is enabled. Act::Handler::WebAPI clearly needs to be modified in order to correctly honor the rights.


-- 
Sébastien Aperghis-Tramoni

Close the world, txEn eht nepO.



More information about the Act mailing list