Story #1904
Updated by Tom Clegg almost 11 years ago
Proposed approach This has two parts: # Implement a special "Anonymous" group * Owner creates a token scoped to #* Created automatically, much like the object being shared. _(Semantics "system group". uuid = @xyzzy-j7d0g-anonymouspublic@? #* In permission checks, make sure @anonymous_group_uuid@ is always in the list of token scopes might need to be clarified: How do you say "read only" here?)_ readable groups. * Use something like #* This should produce the existing @?api_token=@ behavior to embed desired result if someone shares an object with the token into the "link to share", but Anonymous group -- at least use a different name. Using a "share" link shouldn't interfere with a user's real login session. for users who are logged in. # Adjust permission system so users can get "anonymous" privileges without even logging in. * Propagate the token given #* Careful in the URL API server not to the "download" links on the collections#show page, so those links let anonymous user modify itself (or anything else normally allowed by permission system). #* API server has to decide whether to say "please log in" or "just do stuff that anonymous user can be copied to do". (Perhaps "no token" = anonymous?) #* Workbench has a @wget@ command line. similar problem: No session = anonymous?