On Thu, Jul 29, 2010 at 11:24 AM, C. Michael Pilato
<cmpilato_at_red-bean.com> wrote:
> On 07/29/2010 12:15 PM, Mark Phippard wrote:
>> On Thu, Jul 29, 2010 at 12:09 PM, C. Michael Pilato
>> <cmpilato_at_red-bean.com> wrote:
>>> b) If the prompting approach is preferred, what's a reasonable way to do
>>> this? The notification function cannot serve as a prompt. We could add a
>>> redirection_callback_func to the likes of svn_client_update,
>>> svn_client_checkout, svn_client_switch, svn_client_relocate, etc., but that
>>> seems like such a really weird concept to expose at the API level. We could
>>> introduce a custom prompting function in the client context baton. *shrug*
>>
>> My knowledge of the API is from JavaHL. In JavaHL, we have a callback
>> function where SVN can ask a Yes/No question. So I assume this is a
>> callback that already exists in SVN. Could you just use this existing
>> callback (with an appropriately worded Yes/No question)? Not sure
>> that makes it easier or not.
>>
>> If you went with a setting, were you going to propose the redirect
>> feature is on by default? I think it needs to be, else it is not
>> worth doing in the first place.
>
> I was originally thinking "off by default", but only because of the
> theoretical security implications of being automatically redirected to a URL
> (possibly a different machine, etc.) that differs from what you expected.
> Maybe I'm overthinking that, exaggerating the risk? If so -- if there's no
> risk to automatically following redirection notices -- then is there any
> value in having either configuration OR prompts for this behavior?
Also, where does this redirection occur in the order of handling
authn? I would expect a redirect to expire credentials, and to
trigger the prompt for the user to store them.
-Hyrum
Received on 2010-07-29 18:48:33 CEST