On Tue, Apr 9, 2013 at 8:24 PM, Alexandre Hannud Abdo
<
ab...@member.fsf.org> wrote:
> I've been considering keeping the pairwise-api off the Internet and
> modifying the application to not only include an interface but also act
> as an intermediary for it, thus including the id in the extra info
> field.
Alexandre,
The All Our Ideas site acts much like this. Users of the All Our Ideas
only connect to the All Our Ideas code which in turn makes API
requests to the pairwise-api server.
I could easily envision a situation where your application is a client
to the pairwise-api. Your application would enforce the login
restrictions that you need to enforce. Furthermore, to associate votes
with particular users in your application you can pass along a
visitor_identifier of your choosing to help you associate those votes
with the user in your application. If you have a primary key in your
user table for your application, you could pass that key along as the
visitor_identifier. Since this visitor_identifier is being sent from
your application to the pairwise-api then users shouldn't be able to
tamper with it.
In the API docs[1], you can see that both the vote API call and the
question/show call accept a visitor_identifier.
https://github.com/allourideas/pairwise-api/wiki/prompts-vote
https://github.com/allourideas/pairwise-api/wiki/questions-show
There are other calls that accept the visitor_identifier parameter as well.
Does that help answer your question?
Luke
[1]
https://github.com/allourideas/pairwise-api/wiki/API-Documentation