Closed teleyinex closed 12 years ago
1- I think the API ID should not be related to the User, but to the Applications. It will be important to know statistics about API calls by App, and not by users. (at least it is like this at Twitter, Facebook, and others)
2- Inside an Application it will probably be needed the "App Admin" role, where its creator will be the first one and will invite other users to join this.
@nigini I think that your two points are really valuable! Unless, @rgrp thinks different, we should proceed with your idea.
To clarify: I've added to main overview a general approach from elsewhere that I've found useful. Specific comments:
@teleyinex
@nigini:
@rgrp I just removed the Flask-Login sentence from the first comment.
@rgrp I have added some comments to your proposal, and I have fulfilled the TaskRun object.
I have updated also the user stories, so we can include them here.
@rgrp! About the API KEY, a user may have many applications, and can share app's administration with other users. If you have an API KEY per user, you will easy expose data from all your application once other developer is invited to help you at one of them. Other important thing is to have API call statics per application, what can be easily done using an APP-KEY.
I imagine that the community have other explanations to do it like this (and I will start studing more about API to help here), but a good plus to this idea is that Google, Twitter and Facebook all implements its services like this.
I support @nigini idea, as I see that it could be a problem to have only one owner per application. Thus, a user story for this case would be the following (obviously from my point of view):
As a project organizer I would like to create, update and delete applications becoming the owner of the application. As a project organizer I would like to invite other colleagues to help me to administer my applications, giving them the following permissions:
I've made some minor tweaks to proposal around allowing anonymous visitors to still do task runs.
@teleyinex agreed that definitely nice to have co-administrators but wonder if this is something to leave for the future when the need has clearly arisen. We can probably get by in a first version without this and we should focus on "minimum viable product" (aka You ain't gonna (or may not) need it).
@nigini still not sure i get need for per-task API keys. If you want other collaborators to have access to your app I'd suggest we do this via an explicit collaborator system rather than sharing around a common API key.
@rgrp I agree that are other ways to do it, but I still will search for why the big ones adopts this APP-KEY solution.
I have updated the issue: I have unified the term anonymous to visitor to have the same terminology for the issue.
@rgrp fine! Let's move to the next stage, so we can start coding asap.
@nigini and @rgrp which approach do you want to use for this v0.1 (API key)?
I've clearly suggested that we leave API key as is: i.e. on per user (let's keep it ultra-simple!).
In terms of implementation I've added some comments to the main ticket.
OK @rgrp and @teleyinex!
I've readed the code that was pointed at the ticket, but if I'm not wrong, they are focused at authorization. As I'm interested in learning about these king of web development patterns, I was reading about OAuth. I've found this great tutorial about authentication with this pattern.
May I use these coding examples to draft something?
Hi,
I think that we have finally something :) Thus, the authentication will be kept: Flask-Login + API key per user. This solution enables two types of users:
Everyone agrees to proceed?
@nigini this ticket is in fact primarily about authorization (authentication could be dropped). If you want to code stuff re oauth outside of PyBossa please go ahead though I note that there is straightforward support for oauth in Flask via the Flask OAuth extension http://packages.python.org/Flask-OAuth/
@teleyinex we're good to go (and i'd suggest that we keep overall summary of what we are doing in the main description of the ticket so we can refer to it later (i've updated yesterday and I think is same as yours)
Sorry guys. I've mixed this issue with the #20 one. Everything I've posted here was related to the API security. Should I rewrite that issue with these observations I've posted here?
@rgrp @teleyinex I've read the suggested code at this issue description and vote for the second one (datahub). I've talked to @pudo (code author) about the solution and he still uses it.
But before I start, I would like to know if you know this library: http://pypi.python.org/pypi/Flask-Principal It probably does something really similar with pudo's solution but it's a Flask extension. The problem is that it's a beta version since 2010!
Do you think it's a good moment to analyse this option? Or should we go with something that's already known?
@nigini I have check the web about Flask-Principal and in general no one is using it :) It seems like the popular solution is to create a tailored solution for the project. Thus, let's go for @rgrp solutions!
OK! I'll start today!
@nigini can you wait a bit? I'm already assigned the task to me today, and I'm finishing right now the authentication + authorization just for applications. Then, when I submit the code, you can follow the same style.
API pretty much done (though not completely tested). Application create also done in WUI and at the moment nothing else.
It is important to discuss the minimum requirements that PyBossa will have according to authentication and authorization.
NB: Authentication in WUI already works and API key autentication is #20.
Authentication: for the moment there is a basic authentication method, that allows users to create an account, sign in and sign out.
Authorization: it is mandatory to identify which actions will be valid for different types of users. For the moment I think that the following roles will be possible:
@nigini, @rgrp it will be interesting to have your comments and feedback about these items.
Additional proposal (from RP -- but please mod)
NB: I think it would also be useful to have listed relevant user stories (or, at least, situations). That would help us check we have covered edge cases.
Situations - CRUD on core domain objects
App
Task
Tasks are always related to an App.
TaskRun
Implementation
See these two (almost identical implementations):
Even simpler option: