Skip to content
This repository

Add tag to deny untrusted routines from accessing program states #32

bemson opened this Issue April 03, 2013 · 1 comment

1 participant

Bemi Faison
Bemi Faison

Currently, two tags determine how untrusted routines may access a program:

  • _ingress, which limits when a brach may be accessed
  • _restrict, which denies leaving a branch

What seems to be missing (and necessary) is a tag that makes a program branch inaccessible by untrusted calls.

This would prevent untrusted routines from navigating to sensitive states, like'//user/score/add/', 1000000);. With the proper restrictions, such a call could only be invoked by the program itself - or a (sanctioned) nested Flow.

In this sense, "hiding" a state is a way to make them as private (but from whom). The affect would cascade to descendants, and each state should be allowed to unhide itself and it's branch.

Invocation "trust"

When a Flow instance method is invoked, there are three levels of "trust" (the labels will likely change):

  1. trusted: The instance is actively navigating program states.
  2. internal: The instance is active, but awaiting a nested-instance to complete navigating.
  3. external: The instance is inactive or has paused navigation.

External calls are considered "untrusted". Depending on the level of access/control a method exposes, internal calls might also be considered "untrusted". Flow lets methods incorporate these trust levels in their logic, which equates to access and control of an instance.

In light of trust levels, which sould allow accessing a hidden state (besides internal)? Should external calls never have access, and internal calls be given access to them?

Splitting hairs here means either:

  • two tags: one to hide states externally and another for hiding states internally
  • one tag that allows defining "visibility" for both trust-levels
Bemi Faison

Core _conceal

The Core package may introduce the _conceal tag, which would provide the following functionality:

  • Deny external calls from accessing and navigating within a branch.

I've abandoned the idea of setting levels of concealment.

Bemi Faison bemson closed this in 50c689d April 17, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.