From 61e6f27b2164fec843956e0a68d012b6f0e530a0 Mon Sep 17 00:00:00 2001 From: John Cardinal Date: Wed, 13 May 2020 00:31:14 +0000 Subject: [PATCH] --- devdocs/todo.txt | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/devdocs/todo.txt b/devdocs/todo.txt index 212e7bdc..3d58d273 100644 --- a/devdocs/todo.txt +++ b/devdocs/todo.txt @@ -29,7 +29,6 @@ todo: Routes should check rights *BEFORE* they fetch the object, not after, all i.e. delete route instantiates biz object, then it fetchs object from db *then* it checks if they have rights to delete (generically, not specific to that object) This is out of order as it triggers a db call even if they have no rights to do it todo: all biz objects "ExistsAsync" is this required / necessary? - todo: add query fail logging to datalist just like done with picklist so in production can catch mysterious problems more easily todo: AUTO ID GENERATOR change to a dedicated spot in global rather than inferring as it is not right practically for reasons @@ -66,5 +65,18 @@ todo: (BREAK THIS OUT INTO LATER/NOW/CASES) there are several outstanding AUTHEN https://rockfish.ayanova.com/default.htm#!/rfcaseEdit/3250 todo: Look into 2fa https://rockfish.ayanova.com/default.htm#!/rfcaseEdit/3395 +todo: look into how to use an SSL certificate with the RAVEN server directly when not behind nginx + - this should be supported by default out of the box working with Let's encrypt ideally + - is it now considered ok to host .net core web api directly internet facing? +todo: onboarding and default manager account password + - Need to come up with a safety plan for this so people don't leave it at default + - Maybe the very first thing required of a user is to change the password before any tasks can be performed + - Server stays in safety lock until they set a password? + - Or maybe a random password is generated on seeding and somehow provided to user through console or something? + - Maybe an empty db if no other users can be set password only so no one has made a hidden backdoor user account before ops changes it? + - maybe tied to license if licensed so they bring some info they have from rockfish / their license purchase or something? + - don't want it to be onerous too much and have some very inexperienced users so... + - see what other programs do, like our forum software + todo: API docs, make separate page for datalists and remove from api-response-format.md doc but put a reference link to it there.