Looking ahead at least a year to 3.0, I'm proposing (and have a patch for) ignoring access control on metadata ("MD"). The shape of the API would not change at all, but access_id would always be public, and we wouldn't check it in queries.
My case for doing so:
The downsides:
If we decide to do this, sometime in 2.x setting the access_id of metadata to anything other than ACCESS_PUBLIC will cause a deprecation notice (if you're logging them; these are no longer displayed). I suspect 99% of MD usage is already ready for 3.0.
What do you think?
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by RaĆ¼l Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.
- Juho Jaakkola@juho.jaakkola
Juho Jaakkola - 0 likes
- Steve Clay@steve_clay
Steve Clay - 1 like
You must log in to post replies.I'm fine with this change.
Another pro: MD can be cached with entities; we really need to overhaul memcache integration yesterday.