I know that a wotk has been put into making services honor user permissions and that is the right thing without a doubt.
But it will be even better for application to expose only the services it needs. Think of read-only clients. Of course, the use of 'write'-type services will denied by user permissions. But! Think firewall. One can say that applications listening on ports should be resposible for access control, but if the port is not needed then it is much better to block requests to it at the earliest stage possible so that nobody could even try to hack in.
It is true for the services too. It may even bring additional goodies like wsdl size reduction.
I suggest to either include services exposure control directly into the services.module, or provide these functionality via an additinal services_exposure_control.module. For the latter to become possible we need to provide a hook_services_alter which should be called in a services_get_all() after $methods = module_invoke_all('service'); so that one can remove definitions of disallowed services.
This hook can be used by other modules also. For example localization modules could provide additional 'language' parameter to selected services transparently.
Comments
Comment #1
brmassa commentedKonstantin,
i like this idea. I will implement it soon.
regards,
massa
Comment #2
TheCrow commented2.x provide a better solution implemented by Rob Loach, the possibility to write a hook_service_links_alter() into a custom module.