Replies inline.

On Thu, Mar 8, 2012 at 1:49 AM, Robert Munteanu <robert.munteanu@gmail.com> wrote:
On Thu, Mar 8, 2012 at 11:44 AM, David Hicks <d@hx.id.au> wrote:
> On Tue, 2012-03-06 at 17:24 +0200, Robert Munteanu wrote:
>> > 2. Disable SOAP by default (don't let anyone call mantisconnect.php)
>> > unless it has been explicitly enabled in config_inc.php.
>>
>> Why?
>
> Two points of failure instead of one (for trackers that don't have any
> users that connect via SOAP).

That's a valid point.

[Victor] I'm in favor of keeping it on.
 

>
> However, on second thoughts, I retract this proposal on the grounds that
> SOAP _should_ be enabled all the time. It is a feature that is designed
> to make it easier for _users_, not the administrators of a bug tracker.
> Administrators should be providing this feature to users all the time
> because it is a user choice as to whether they want to use SOAP.

Do you think that this should be a more visible configuration setting
? Some examples:

1. SOAP API access moved directly to config_inc.php instead of the
current separate configuration file which is probably not found by
people glancing over their default settings.

[Victor] Give that SOAP API is now part of MantisBT, we may want to consider this option.  In the meantime, we can reference the SOAP configuration file in config_defaults_inc.php and config_inc.sample.php.
 
2. SOAP API access defined per user, similar to enabled/protected,
defaults to true

[Victor] I like it ON for all users.  However, if we are to consider this not being the case, we could consider disabling of users with access level <= REPORTER and anonymous user by default or make sure it is easier to configure the system in such state.  The risk of having reporters comes from the fact that we allow auto-signup, if the instance doesn't, then it really makes sense to open for all.

We should make sure we allow users to easily lock things down and achieve the right balance of restricting trusted vs. untrusted users.  From what I remember, this already exists by having read-only vs read-write access based on access level.  However, we don't default that based on other features like auto-signup for example.
 

Robert

>
> Cheers
> David
>
> ------------------------------------------------------------------------------
> Virtualization & Cloud Management Using Capacity Planning
> Cloud computing makes use of virtualization - but cloud computing
> also focuses on allowing computing to be delivered as a service.
> http://www.accelacomm.com/jaw/sfnl/114/51521223/
> _______________________________________________
> mantisbt-dev mailing list
> mantisbt-dev@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mantisbt-dev
>



--
Sent from my (old) computer

------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
mantisbt-dev mailing list
mantisbt-dev@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mantisbt-dev