Open JoelProminic opened 1 year ago
JoelProminic
commented
2 months ago I think these requirements are covered by #43 (see the test matrix here)
allow_anonymous is applied to all agentsJoelProminic
commented
1 month ago I was debugging something for the SuperHumanPortal.nsf ACL today, and I noticed that the -Default- ACL entry was set to Designer access. This is too much access now that we are locking down the database with the additional security.
However, when I checked my agent to create new copies of the database, I found that it was set to No Access:
setACLEntry(acl, "-Default-", ACL.LEVEL_NOACCESS, ACLEntry.TYPE_UNSPECIFIED, false, false);This might be too restrictive - it could lock out non-administrator users on the server.
I'll think about this more once I revisit the database update.
JoelProminic
commented
3 weeks ago Revisiting this today, I found that the current production Genesis copy of SuperHumanPortal.nsf also has -Default- access set to NOACCESS. So, it seems this is not a problem for Genesis, but it could be changed as part of the Genesis installation.
30 has been stuck for a while because of concerns I had with installing and using
superhumanportalon production servers. Super.Human.Portal was originally written to be a helper for testing Genesis on a test Domino server created with Super.Human.Installer, so accessibility was prioritized over security.I thought that the agents supported the
allow_anonymousconfiguration option so that we could at least disable public access (though this defaults totrueto support the Super.Human.Installer instances. However, when revisiting this today, I found that this was limited to the XMLAuthenticationTest agent logic - the other agents are set to allow any access.It may be simplest to restrict the access with the ACL. In this case, it would make sense to set the default ACL to only allow the server admin users to use the agents, and then override the ACL and/or configuration settings in Super.Human.Installer to change the access to anonymous.