AW: [Zope3-dev] Re: skin support for xmlrpc
Hi Christian Betreff: [Zope3-dev] Re: skin support for xmlrpc On 2007-09-14 18:54:01 +0200, Fred Drake [EMAIL PROTECTED] said: On 9/14/07, Roger Ineichen [EMAIL PROTECTED] wrote: If you register views for a base request type, you probably will open a backdor in other projects. Because I'm not advocating registering views for the base request types generally, but only the way to specify in the URL what the request type is. Because sometimes we really do want completely separate sets of XML-RPC (or whatever) interfaces. Ok, then I suggest: * Provide an IRequestType interface in zope.publisher * Provide an ++api++ traverser in zope.traversing which does `getUtility(IRequestType, *name*)`. * define class IBrowserSkinType(IRequestType) * Leave ++skin++ for IBrowserSkinType or just make it the same as ++api++ * Keep layer= on xmlrpc:view, browser:page etc. Comments? If I understand the concept correct. This is a builtin backdoor. Doesn't this allow to bypass the Apache rewrite rule? With: http://www.foobar.com/++api++xmlrpc/doSomething If the rewrite rule in Apache is: RewriteRule (/?.*) http://localhost:8080/++skin++OnlyHere/++vh++https:www.foobar.com:443/++$1 [P,L] Or does the ++api++ namespace recognize the skin? Which means the url rewritten url is. With: http://www.foobar.com/++skin++OnlyHere/++api++xmlrpc/doSomething But then, do we need to regsiter the ++api++ for each layer? I guess this is not what you are asking for. right? My main issue on this thread is allways the same: Skins are a security layer. And don't bypass them, then this let us use views which we don't like to provide in a layer/skin. I really don't understand this thread. Does nobody take care on default traversal APIs? I'm really confused now. Probably I don't see soemthing or understand it not correctly. Do you understand what I mean this this backdoor use case? Or I'm totaly wrong? Regards Roger Ineichen -- Christian Zagrodnick gocept gmbh co. kg . forsterstrasse 29 . 06112 halle/saale www.gocept.com . fon. +49 345 12298894 . fax. +49 345 12298891 ___ Zope3-dev mailing list Zope3-dev@zope.org Unsub: http://mail.zope.org/mailman/options/zope3-dev/dev%40projekt01.ch ___ Zope3-dev mailing list Zope3-dev@zope.org Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com
AW: [Zope3-dev] Re: skin support for xmlrpc
Hi Cristian Betreff: Re: [Zope3-dev] Re: skin support for xmlrpc [...] The problem is simple, XML-RPC has used the IBrowserRequest and now it uses the IXMLRPCRequest. This is why the XML-RPC views in different projects don't work anymore. This means the XML-RPC uses a browser request which is bad because it enables the views everywhere. No no. XML-RPC did use IXMLRPCRequest before. All I added was the IXMLRPCSkinType which did not exist. What I also changed is the ++skin++ traverser which was registered for * instead of IBrowserRequest. But I consider the old behaviour a bug since skins were only valid with IBrowserRequest. Ah, sorry, I was wrong then. But we still need the option to register XML-RPC views for explicit request types. The solution is to provide the request interface which was the default before the changes. But don't take the option way to use other request interface then the default for registration. I'll need it. Because I'll take care on security and don't like to register everything on whatever. Before I'll revert the layer-support will be there in a third party package, probably using ++api++. The only thing what I need is a directive which allows me to register XML-RPC views on a explicit skin type then. Then this will avoid to get XML-RPC views for all browser request types. right? I'll work at the same topic to at the sprint and implement this option for the zif.jsonserver. Right now the zif.jsonserver depends on the xmlrpc metaconfigure directive. If this your changes will fit, I can still depend on this. Thanks for taking care on this issue. Regards Roger Ineichen -- Christian Zagrodnick gocept gmbh co. kg . forsterstrasse 29 . 06112 halle/saale www.gocept.com . fon. +49 345 12298894 . fax. +49 345 12298891 ___ Zope3-dev mailing list Zope3-dev@zope.org Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com
AW: [Zope3-dev] Re: skin support for xmlrpc
Hi Fred Betreff: Re: [Zope3-dev] Re: skin support for xmlrpc [...] Can't say I've ever advocated removing that, but I'm one of those skin-means-request-type folks. If you register views for a base request type, you probably will open a backdor in other projects. Because if someone uses such a package which has views regsitered for a conatext and standard request type this views are available in every instance which the discriminator will fit. Layers - skins or the z3c.baseregsitry are concepts for avoid this. Regards Roger Ineichen I suspect the hangup some people have is really about the skin name for something that's not about browser presentation. -Fred -- Fred L. Drake, Jr.fdrake at gmail.com Chaos is the score upon which reality is written. --Henry Miller ___ Zope3-dev mailing list Zope3-dev@zope.org Unsub: http://mail.zope.org/mailman/options/zope3-dev/dev%40projekt01.ch ___ Zope3-dev mailing list Zope3-dev@zope.org Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com
AW: [Zope3-dev] Re: skin support for xmlrpc
Hi Betreff: [Zope3-dev] Re: skin support for xmlrpc On 13.09.2007, at 17:28, Philipp von Weitershausen wrote: Christian Theune wrote: Let me propose a change: 1. We revert the change. Any news on this? Yes. Over the last few days I pondered about how to do it without xmlrpc layers. But there doesn't seem to be a way nice and easy way. So I will need to implement the layer support in a different package. The revert will be done till monday, maybe already tomorrow. Sorry for the delay. Anyway, could somebody who had an error with that tell me what the problem was? I just heard we had a problem. Why revert? We need layers in every kind of context, request adapter registration because it's the concept which permission get registered in different projects on a single server sharing packages. The problem is simple, XML-RPC has used the IBrowserRequest and now it uses the IXMLRPCRequest. This is why the XML-RPC views in different projects don't work anymore. This means the XML-RPC uses a browser request which is bad because it enables the views everywhere. The solution is to provide the request interface which was the default before the changes. But don't take the option way to use other request interface then the default for registration. I'll need it. Because I'll take care on security and don't like to register everything on whatever. Regards Roger Ineichen -- Christian Zagrodnick gocept gmbh co. kg . forsterstrasse 29 . 06112 halle/saale www.gocept.com . fon. +49 345 12298894 . fax. +49 345 12298891 ___ Zope3-dev mailing list Zope3-dev@zope.org Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com
AW: [Zope3-dev] Re: skin support for xmlrpc
Hi stephan Cc: Christian Zagrodnick Betreff: Re: [Zope3-dev] Re: skin support for xmlrpc [...] The idea is now to register list_foo for different layers/skins/api-sets. This could also be achieved by creating dummy model-objects and/or traversers, but would be much less understandable. What essentially happens is that the views are registered for different request types. You can solve this issue easily using pluggable traversers. There is absolutely no need to use skins here. For example, a traverser plugin can simply mark the request with a directly provided interface and return the same object. This would work very much like a skin without mis-using the concept. That's wrong, even pluggable traverser using skins if you use Apache and virtual hosts. Without a skin you can't handle that. this means a pluggable traverse is just a additinal hook the solve a simple problem. [...] Then use a custom traverser, please!? :-) eek, I don't like them. And I see no reason to use pluggable traverser for every JSON or XML-RPC view which should not get shared in different skins. Not a skin is a DNS - layout mapping lookup from the Apache point of view. It probably would not be much of a problem to remove the skin things again and put it directly to the project or another third-party component. But it doesn't feel right. Please revert the skin support again. This is a pretty major change and I gave a -1 on the original discussion already. There was never a full proposal either. But It's a security issue not having layer support in views even XML-RPC views behave exactly like ever other view handled by browser - apache - server. Regards Roger Ineichen Regards, Stephan -- Stephan Richter CBU Physics Chemistry (B.S.) / Tufts Physics (Ph.D. student) Web2k - Web Software Design, Development and Training ___ Zope3-dev mailing list Zope3-dev@zope.org Unsub: http://mail.zope.org/mailman/options/zope3-dev/dev%40projekt01.ch ___ Zope3-dev mailing list Zope3-dev@zope.org Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com
AW: [Zope3-dev] Re: skin support for xmlrpc
Hi Jodok Cc: Christian Zagrodnick; zope3-dev@zope.org Betreff: Re: [Zope3-dev] Re: skin support for xmlrpc [...] for me xmlrpc is remote procedure call. a rpc has a signature and always the same result. and as stephan said - traversers should help here. Yes, but what does this mean? Where is the difference to any other view e.g. BrowserRequest views. XML-RPC views are exactly the same as any other multi adapter which can get traversed. All of them need to support a layer. Except that the default layer for XML-RPC is the XMLRPC request and not the DefaultBrowserRequest. Traverser are not needed for this. That's a totaly different concept. btw, the layer is a namespace for permission settings and not skinning/layout in this usecase. [...] Regards Roger Ineichen _ END OF MESSAGE ___ Zope3-dev mailing list Zope3-dev@zope.org Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com