On May 22, 2016, at 12:54 AM, Simon Hanna wrote:
While in theory it would be possible to enforce permissions in core about who is allowed to call specific rest calls, this would require a lot of changes. I'm not sure we want to go this way.
I've resisted this for a long time, and I may continue to do so :).
I definitely consider the current REST API a privileged, administrative API for integrating known, trusted components. It should never be published on any public IP address. This isn't going to change.
A while back, Andrew Stuart wrote an authenticating proxy server he called "mailmania" which does exactly as Simon proposes above. It authenticates users and maps their roles to allowed REST calls. It could be exposed on a public IP and used to script the core.
I'd like to either promote mailmania to a official subproject, or fork it, clean it up, and offer something much like it, either as a subproject (likely at first) or as an optional component of the core. Andrew has donated this to the FSF so we can use what we want, but I think he doesn't have time these days to develop it. I'd like to come up with a better name :).
Anyway, that's the direction I think such a permission system should go in.