High priority ------------- 1. Log all server and basic access messages to syslog and keep verbose logging (headers,bodies) in var/log/openxcap/ 2. Log the whole HTTP URI as seen by the client 3. Add a server configuration option called 'check_rls_documents' to check the sanity of the content of RLS documents. As these docuemnts are expanded by the Presence agent is important that the end-user to not provision unsafe data for the server. if check_rls_documents is not defined or is 'none' do nothing if check_rls_documents = 'safe' do the following checks a) the service-uri must be formated as: sip:listname-buddies@domain.com b) the one elements must not point to another service-uri (do not contain -buddies@) c) External references to resource-lists or other http URIs are not allowed d) The document must contain only individual sip uri entries user@domain if check_rls_documents = 'OMA' do the following checks: a) the service-uri must be formated as: sip:username@domain.com;pres-list=id b) The service may contain only one element pointing to an existing resource list document on the same server: http://domain/xcap-root/resource-lists/users/sip:alice@domain/index/~~/resource-lists/list[@name="id"] c) The XCAP root part of point b) must match the XCAP root used to access this RLS services document d) The resource list named 'id' must exists 4. Validation after put/delete attribute 5. Add SIP client support to OpenXCAP to send PUBLISH for xcap-diff event. Modify OpenSIPS to perform refreshWatchers() when the PUBLISH is received. Low priority ------------ 1. Add xcap-directory application to list the documents for a given user 2. Allow port in root= settings, thus making port= parameter unnecessary. Make sure that when listening on non-default port valid URIs are logged (see prev. issue) Inside, always use xcap root with port (if non-default), i.e. put port in logs, xcap-diff docs 3. Change default port for https:// to 443 (currently is 8000). Keep the default port for http:// 8000 for backward compatibility. 4. Test suite: validate after each GET, test well-formedness of the received elements. 5. Finish global/users: test that all possible combinations (global/users GET/PUT/DELETE each app) return reasonable error 6. global + digest auth = not implemented 7. URIs in att_value. Should differently encoded be considered equal? Note, that there're 2 encodings: percent-encoding, and xml attribute encoding (i.e. " and friends) Resource Lists RFC features example document with http URI that has percent-encoding in it. Does that mean that to match against it, percents in the URI should be themselves percent-encoded? Or XCAP server should use its knowledge about the app and figure out that URIs are equivalent. This may be unreliable if it's unknown whether this URI was percent-encoded or not. Why that URI was percent encoded in the first place, why not paste it in the documents as it is, using XML escaping where necessary. Make few simple xpath expressions that include that URI as att_value and post it SIMPLE mailing list. 8. Errors from twisted are text/html and from xcap are text/plain: use one (text/plain?)