[prev in list] [next in list] [prev in thread] [next in thread] 

List:       markus-dev
Subject:    Re: MarkUs security; API; multiple roles
From:       flaps () dgp ! toronto ! edu (Alan J Rosenthal)
Date:       2010-05-31 15:51:37
Message-ID: 20100531155137.7CAD12E4086 () zeus ! dgp ! toronto ! edu
[Download RAW message or body]

Hi Byron!...

Karen presumably cc'd me on this to see if I had any observations to
contribute, so here are two:

I think it was Byron who wrote:
> It seems to us to be a pretty simple change, ultimately, to switch 
>over to having the web server be responsible for authentication.  It 
>would need to be configured, of course, to require authentication.  But 
>then the MarkUs code just needs to verify that $REMOTE_USER is set and 
>matches a name in it's database.

I agree with this, for MarkUs and as a general principle.  My own webby
course-related systems use "HTTP AUTH" authentication.  All sorts of
things work better once the web browser and web server are controlling
the authentication.

For some reason, this is completely out of fashion in these Web 2.0 days,
where people prefer to have the application handle authentication and
to use HTTP "cookies" to manage state information.  I believe that this
particular aspect of MarkUs is derived from standard Ruby on Rails code
and wasn't invented here.  I can only speculate as to why "nobody uses HTTP
AUTH any more".

Even though it's much easier to use HTTP AUTH, it might be the case that
no one's implemented it for Ruby on Rails, dunno.


On another note, I think it was Karen who wrote:
>The files submitted by students can be submitted via the web interface, 
>or directly using SVN.

In the case of stanley.cdf.toronto.edu, submissions "directly" using SVN also
go through the web server, just not through MarkUs.


And for item #3 out of 2, I'd also like to note that there are various
kludges which are possible to allow easy switching of logins even when using
HTTP AUTH.  They might be a bit confusing to students but should be useable
by instructors and TAs.  There's also a firefox plugin which solves that
problem in general.

regards,
[prev in list] [next in list] [prev in thread] [next in thread]