Hi Guys,
A lot of interesting ideas here! I'm really not sure what the best
approach is. My guy feel is to sit on this for now, someone will get
some inspiration in the course of time.
Regarding encrypting pickle data, that alone won't make it safe as
encrypted data can still be tampered with (although it's much harder!)
The proper solution is to use a MAC, which prevents tampering. This
makes the data trusted so it is safe to unpickle it. Encryption can be
used as well to hide the data, but that's generally less important.
One design aspect I do feel strongly about is that the secure mode
should be the default. A programmer should have to explicitly turn off
security if they want to do some fancy things. If we get the design
right though, most client-side manipulation will just work alongside the
security.
I noticed the mention of changing the form based on what options are
selected. I submitted a widget along these lines called
HidingSingleSelectField, which I use a fair bit. Another widget I am
looking at is a SecurePassword field, which is write-only - the value
cannot be read from the web app.
Regards,
Paul
Jorge Godoy wrote:
Jorge Godoy <[EMAIL PROTECTED]> writes:
They might be disabled client side as well... The idea is really
signaling
that to the server so that it knows. Of course, if a widget has no
"can_be_disabled" attribute or it is false, then it can't be disabled...
The idea of using the hashes is that one would have computed all
variations to
the form. Then it would just be a matter of selecting a valid
variation. If
one would tamper with the form he'd have to select a valid hash (i.e.
a valid
schema) and would be subject to it.
If the hash is invalid -- i.e., it matches no predefined schema --
then the
form is processed as if it had an error (a default schema might be used
here).
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"TurboGears" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/turbogears?hl=en
-~----------~----~----~----~------~----~------~--~---
