Re: intended security model for templates

2014-12-29 Thread Aymeric Augustin
2014-12-29 0:26 GMT+01:00 Curtis Maloney : > I certainly like the idea of making public the API to load your tag lib by > default for your project. It's there, it's clean, and it's been stable for > a looong time. Of course, the multi-template-engine work may change this. It doesn't. Template

Re: intended security model for templates

2014-12-28 Thread Collin Anderson
I also think the "load your tag lib by default for your project" is a good idea. It's a tad magical, but very nice. On Sunday, December 28, 2014 5:26:46 PM UTC-6, Curtis Maloney wrote: > > I certainly like the idea of making public the API to load your tag lib by > default for your project. It'

Re: intended security model for templates

2014-12-28 Thread Carl Meyer
Hi Tim, On 12/24/2014 01:35 PM, Tim Graham wrote: > I was hoping to get clarification on what security model we intend to > support for template authors. In ticket #12772 > it's proposed to allow > loading template tags using a dotted Python path. T

Re: intended security model for templates

2014-12-28 Thread Curtis Maloney
I certainly like the idea of making public the API to load your tag lib by default for your project. It's there, it's clean, and it's been stable for a looong time. Of course, the multi-template-engine work may change this. Also, I agree that "explicit is better than implicit", and thus reducing

Re: intended security model for templates

2014-12-26 Thread Shai Berger
On Wednesday 24 December 2014 20:35:09 Tim Graham wrote: > I was hoping to get clarification on what security model we intend to > support for template authors. In ticket #12772 > it's proposed to allow > loading template tags using a dotted Python path

Re: intended security model for templates

2014-12-25 Thread Florian Apolloner
On Thursday, December 25, 2014 5:24:05 AM UTC+1, Curtis Maloney wrote: > > Whilst I can understand the appeal of allowing namespacing of template > libs, I think exposing full python paths is the wrong approach. Perhaps > allowing a "app_label:libname" approach to being more specific? > +1, and

Re: intended security model for templates

2014-12-24 Thread Curtis Maloney
Personally I feel it's exposing too much implementation to the template authors. Whilst I can understand the appeal of allowing namespacing of template libs, I think exposing full python paths is the wrong approach. Perhaps allowing a "app_label:libname" approach to being more specific? -- Curti

intended security model for templates

2014-12-24 Thread Tim Graham
I was hoping to get clarification on what security model we intend to support for template authors. In ticket #12772 it's proposed to allow loading template tags using a dotted Python path. This would allow template authors to trigger imports of any