Let's add a column to each script in the security schema to specify whether or not that script can be called by a URL. Turn if off by default.
Don't forget to vote it up yourself.
I think we need a way to pass authentication in a way that is not seen or snooped. Allowing a script to run by URL still needs some security.
I think we need both.
I agree with Beverly on this. Security comes first and with URLs you need to pass authentication
Am I missing something? I don't see how the two security features conflict with each other, but you're talking as if they are somehow.
jb, I guess I'm trying to visualize what you mean by
each script in the security schema
so, is the person "authenticated" already and an URL is used?
I'm proposing that the ability to run a script by URL be set at the privilege set level. So (1) a user has to be authenticated (whether they are already logged-in or something is included in or parallel to the URL call), and then (2) my proposal kicks in to check that the requested script can be run in the user's privilege set. The point is that developers should be able to control what scripts can and can't be called by URL, and the privilege set script settings seems to me as reasonable a place as any to do it. Authentication is a separate (pre-requisite) issue.
awesome. Sounds good then.
Retrieving data ...