[sugar] filtering result of an object chooser
Bert Freudenberg
bert
Sat Mar 1 15:32:44 EST 2008
On Mar 1, 2008, at 20:36 , Michael Stone wrote:
>>> I thought since this dialog involves explicit user interaction this
>>> is okay and not restricted by Rainbow?
>>
>> Oh, I thought you we proposing not using the object chooser at all?
>> That's what I understood by "A work-around is to query the datastore
>> directly and present the entries within your own UI".
Err, yes. I mistook your comment to apply to the dialog case.
>>>> Which API do you suggest to add to ObjectChooser? I'm willing to
>>>> look
>>>> into this in the near future.
>>>
>>> I'd simply add a query parameter to the ChooseObject() DBus call.
>>> Since no shipping activity uses this call directly AFAIK, it should
>>> be okay at to do at this time.
>>
>> I think Bitfrost says that activities that wish to access other
>> objects from the journal will need to ask for permission to read an
>> specific object type. Michael, can you comment on this?
>
> See tickets #2328 and #3801 [1,2] for my existing comments.
>
> [1] http://dev.laptop.org/ticket/2328
> [2] http://dev.laptop.org/ticket/3801
The only comment relating to the ObjectChooser I could see was
http://dev.laptop.org/ticket/2328#comment:15
But I can see what your concern is even in the read-only case - the
chooser returns an object_id and then the activity uses the normal
Datastore API to access it. This is a potentially risky two-step
process. How about instead returning a secure token from the
ObjectChooser that can only be used to read that specific entry? This
would guarantee the user actually designated this exact object to be
opened.
- Bert -
More information about the Sugar-devel
mailing list