Does the "add" API need better security?

[zur003]

The new "add" API does not appear to be particularly safe (nor did it's predecessor). What is it's intended use? I know it was used in SoilMapp to allow users to add their soil description for later use in Yield Prophet. Was this actually being used? Are there other use-cases that apply?

If soils are to be added or modified, I think it would be good to keep them segregated to some extent from the core data. Perhaps they could be forced into a "usersoils" folder. The old API may have done something along those lines - at any rate, the old service has a number of entries in "/UserSoils" and "UserSoils".

[hol353]

"add" was created so that I had a way to upload all the legitimate APSOIL soils (no /UserSoils) from the old API. At the moment there is no other use case. The plan is to add a token based security to it.

SoilMapp modifies soils so the plan would be to modify the add method to put these into a different '/UserSoils' folder, like the old endpoints did.

[hol353]

The YieldProphet team are currently migrating to the new API endpoints. I've asked them to give me a list of user soils that are currently being used in YP. If they come back with a list then I'll try creating a /UserSoils folder and see what happens. Is there a better way to do this?