[development] Introduction and Webservice Token Discussion

Benson Wong tummytech at gmail.com
Wed Jan 25 01:00:38 UTC 2006


Boris @ Bryght recommend that I join this list. So hello all. I'm a
little green to the drupal development process so I'm going to jump
right in.

I was working on Web service authentication token functionality for
Drupal 4.7 (or 4.8). I wrote the code today and kept the
implementation minimal. I tied it into the session.inc functions in
Drupal. Which made the most sense.

refer: http://drupal.org/node/46145 for the ongoing discussion.

I've attached the patch to this email.

Quick summary:

1. Uses the global $user
2. Tokens are passed in the GET string as: xmlrpc.php?token={big long string}
3. The tokens are just PHP session Ids
4. No modification to any current code to use. Code can use
user_access(..) as normal to check privileges
5. xmlrpc.php modified so if a valid token exists, it will swap the
anonymous sessionid with the authenticated one.

Unrelated, but I figured this was useful. Every anonymous xmlrpc
request creates a new anonymous session in the sessions table. I added
a couple lines of code to get rid of anonymous sessions in
xmlrpc_server() right before it send back the response.

The same can probably be done for cron.php.

blog: http://www.mostlygeek.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: xmlrpc.patch
Type: application/octet-stream
Size: 2701 bytes
Desc: not available
Url : http://lists.drupal.org/pipermail/development/attachments/20060125/195a4f4a/xmlrpc.obj

More information about the development mailing list