Hello.
Diez said:
> Just a thought. You argue above with security-flaws creeping into code if
> __nonzero__ is used.
>
> I'd like to make the point for the opposite - not evaluating the predicate
> automatically via __nonzero__ creates one.
>
> Consider the following situation:
>
> <div py:if="in_group('admin')"> Some super secret stuff </div>
>
> Now without the patch, this gets evaluated to a predicate - in other words
> an object which is not amongst the objects python automatically treats as
> "False".
>
> So unless you do provide a __nonzero__-method on Predicates that always
> yields False, users are likely to create security-flaws by forgetting the
> evaluator. But then the reasoning of #1 falls flat on it's face as well.
There's no bug/flaw nowhere. The repoze.what docs clearly emphasize that the
only way to evaluate predicates is by doing so explicitly with the
.is_met()/.check_authorization() methods:
http://what.repoze.org/docs/1.x/Manual/Predicates/Evaluating.html
It can only be a flaw if it's a dumb developer who doesn't RTFM and doesn't
try the code s/he writes either. And then, the bug would be the programmer
himself.
On the other hand, having a default evaluation result of False can be
dangerous equally:
"""
<div py:choose="">
<span py:when="is_anonymous()">Nothing to see here</span>
<span py:otherwise="">Secret message for registered users</span>
</div>
<div py:choose="">
<span py:when="not_anonymous()">Secret message for registered users</span>
<span py:otherwise="">Nothing to see here</span>
</div>
"""
Cheers.
--
Gustavo Narea <xri://=Gustavo>.
| Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about |
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"TurboGears" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/turbogears?hl=en
-~----------~----~----~----~------~----~------~--~---
