Re: [OpenSPP-project] What is the correct behavior of DelDestGrpRqst when the targeted group does not exist or has been previously deleted?

[Dean W. <dea...@so...>]

Ok, if it's according to the spec, it's not a bug in OpenSPP.

We just have to make sure we keep the same "happy" response even for an 
authorization failure on an object delete.

Thanks!

--
Dean


On 8/24/11 8:29 AM, Cartwright, Ken wrote:
> The behavior you are describing is correct per the current wording in
> the spec.   But I do not see it as a noteworthy item, so I could
> actually go either way on it.  Both approaches have advantages and
> neither of the two approaches necessitate a change to the XSD or the
> WSDL or the response codes.
>
> Ken ________________________________________ From: Dean Willis
> [dea...@so...] Sent: Tuesday, August 23, 2011 7:45 PM
> To: ope...@li... Subject: [OpenSPP-project]
> What is the correct behavior of DelDestGrpRqst when the targeted
> group does not exist or has been previously deleted?
>
> Right now, I can run repeated delete group requests, specifying the
> same group, and always get the same code 1000 Overall Success
> response.
>
> This doesn't seem right. WHat should it do?
>
>
> But it raises a question about a threat model.
>
> Suppose I attempt to delete a DestGrp that I should not be authorized
> to delete, or even see. If the respose returns as "unauthorized", as
> opposed to "not found", do I now know about the existence of a
> DestGrp that I was only guessing existed?
>
> Is this a problem?
>
> Always returning a "happy" response precludes the information leak,
> but it could cause other problems.