[asterisk-dev] AstriDevCon - PineMango
thp at westhawk.co.uk
Sat Oct 11 16:47:35 CDT 2008
On 11 Oct 2008, at 20:36, Johansson Olle E wrote:
> 11 okt 2008 kl. 21.29 skrev Tim Panton:
>> In these cases they had to throw out most of the implementation of
>> core API
>> when they added the security layer but the API itself remained and
>> I'm assuming a definition of success you may not agree with ;-)
> Nevertheless you found an example that proves that I'm wrong.
> Regardless, I still think that abandoning an authorization model
> is a Very Bad Idea (TM).
> If we publish an API, someone will produce an application that
> breaks the core and hijacks channels left and right. It's better to do
> work first, than have to clean up the mess afterwards. We have a very
> large installed base out there, and a responsibility not only to help
> them protect
> their mission-critical PBX systems, but also integrate security as we
> forward, in order to enable them to use this functionality in their
> and on the Internet.
There is a distinction here, by API, I mean the layer which the
framework writers would use. So Jay might use it to implement
I might implement JTAPI on top of it, you might implement manager 2.0
Applications would use the _framework_ to get stuff done, so Java coders
would use JTAPI , and Ruby guys would use Adhersion.
I'm arguing that the permission checking should be done in the
in a way that makes sense to that framework's problem space, rather
than being pushed down into the core API.
(There is a problem - what happens if you set up an Adhersion system,
with a specific security model then someone writes a JTAPI app that
all those rules.?)
More information about the asterisk-dev