Open JoelProminic opened 1 year ago
I think these requirements are covered by #43 (see the test matrix here)
allow_anonymous
is applied to all agentsI was debugging something for the SuperHumanPortal.nsf ACL today, and I noticed that the -Default-
ACL entry was set to Designer
access. This is too much access now that we are locking down the database with the additional security.
However, when I checked my agent to create new copies of the database, I found that it was set to No Access:
setACLEntry(acl, "-Default-", ACL.LEVEL_NOACCESS, ACLEntry.TYPE_UNSPECIFIED, false, false);
This might be too restrictive - it could lock out non-administrator users on the server.
I'll think about this more once I revisit the database update.
Revisiting this today, I found that the current production Genesis copy of SuperHumanPortal.nsf also has -Default- access set to NOACCESS. So, it seems this is not a problem for Genesis, but it could be changed as part of the Genesis installation.
30 has been stuck for a while because of concerns I had with installing and using
superhumanportal
on production servers. Super.Human.Portal was originally written to be a helper for testing Genesis on a test Domino server created with Super.Human.Installer, so accessibility was prioritized over security.I thought that the agents supported the
allow_anonymous
configuration option so that we could at least disable public access (though this defaults totrue
to support the Super.Human.Installer instances. However, when revisiting this today, I found that this was limited to the XMLAuthenticationTest agent logic - the other agents are set to allow any access.It may be simplest to restrict the access with the ACL. In this case, it would make sense to set the default ACL to only allow the server admin users to use the agents, and then override the ACL and/or configuration settings in Super.Human.Installer to change the access to anonymous.