Why is anyone with API access allowed to cancel the 'attachToTangle' operation of another user?

Question

In the IRI, there is no filter that prevents anyone from cancelling another users 'attachToTangle' operation when the POW is in progress.

See API.java, case "interruptAttachingToTangle"

Why is that?

score 2 · Answer 1 · answered Jul 22 '18 at 12:01

2

It's the responsability of the node owner to configure it's node properly. The recommended setting is to not allow remote-POW (therefore interruptAttachingToTangle is a NOOP).

If the node owner allows remote-pow, it is probably a good idea to not allow remote call to interruptAttachingToTangle. (using remote-limit-api parameter)

answered Jul 22 '18 at 12:01

ben75

5,344
11
32

Cancelling is still allowed locally (A script running on the node may have the ability to do it). Allowing the light-node-client to cancel it's own request would requires some kind of authentication. Such mechanism isn't implemented (yet ?). – ben75 Jul 22 '18 at 14:10

Why is anyone with API access allowed to cancel the 'attachToTangle' operation of another user?

1 Answers1

Linked