#pragma page-filename DEV/versions/11960537
== Require user authentication in Core - and implement ACL in there ==

{{{#!table
'''Pro '''

|| '''Con 
<<BR>> '''
==
Very secure interface<<BR>> 

|| Lot's of work in the Core UI to be done<<BR>> 
==
REST-API could be extended to remote clients<<BR>> (not Localhost only)<<BR>> 

|| you would need to authenticate to the Core<<BR>> 

==

|| difficult to know for WebUI what it is allowed to show<<BR>> 
}}}

== Pass Optional User Levels with each item you get via REST (by wacky, benste) ==

{{{#!table
'''Pro '''

|| '''Con 
<<BR>> '''
==
each UI could access these Level directly while working with an item<<BR>> 

|| Messing up the item <<BR>> 
==
ACLs are treated optional - e.g. plugins could enable additional feautres 

|| Lack of security once you've got Web Plugins<<BR>> 
==
very easy to show and hide items in the WebUI based on ACL<<BR>> 

|| this only applys for list style values, not for actions<<BR>> 

==

|| complete rewrite of REST needed<<BR>> 

==

|| user-levels could be treated in DOC<<BR>> 

==

|| Do we already have other than the mailman-web Django Project who access REST ?<<BR>> 
}}}

== Use another Middleware (by barry) ==

Reasons for running REST-API as root@localhost:

 * keeps the REST API simple
 * keeps the Data Model simple
 * clients have unlimmited functional flexibility
 * not locked into the core's perception of permissions and security<<BR>> VS: requiring every client to implement security, access and permissions

It could do the permission check, filter the request as<<BR>> appropriate, and forward it to the core. Of course, responses could also be<<BR>> filtered if necessary, but this would present exactly the API that clients<<BR>> required.

It's also supposed to do Authentification

{{{#!table
'''Pro <<BR>> '''

|| '''Con '''
==
not messing up REST neither CORE <<BR>> 

|| cloning REST-Api with additional informations (if there is no possibility to check method calls e.g as a list)<<BR>> 
==
pluggability and customization for<<BR>> various environments <<BR>> 

|| need to write a site plugin to use another authentification framework 

==

|| 
}}}

== Implement it in the WebUI only ==

{{{#!table
'''Pro '''

|| '''Con 
<<BR>> '''
==
No need to change Core<<BR>> 

|| every UI would need to it again - e.g taking a look at the documentation<<BR>> Very big workload for every UI<<BR>> 

==

|| 

==

|| 
}}}