Jean-Paul Calderone wrote:
I'm wary of making it possible to accidentally expose a method to the
client. Without allowMethods, it seems to be a quite simple to
accidentally expose things. For example, with your patch, the following
methods can be invoked by the client on any LiveFragment:
get
rend
...
postForm
...
With the above list of methods in mind, does it make more sense why
allowedMethods is present?
Dear Jean-Paul,
You're right, it could be dangerous, but I'm soooo lazy for typing too much!
Attached is a revisited patch, that fulfill the security and make the
allowedMethods
at the same time unnecessary - this version allow only usage of NEW methods
in the subclass, no superclass methods or overriding of them are accepted, try
it...
Could it be a way?
Paul
Index: athena.py
===================================================================
--- athena.py (Revision 3368)
+++ athena.py (Arbeitskopie)
@@ -407,21 +407,19 @@
<form onsubmit="Nevow.Athena.refByDOM(this).callRemote('foo',
bar); return false;">
- By default, only methods named in the C{allowedMethods} mapping
- may be invoked by the client.
"""
- allowedMethods = {}
-
def rend(self, context, data):
myID = self.page.addLocalObject(self)
context.fillSlots('nevow:athena_id', myID)
return super(LiveFragment, self).rend(context, data)
def locateMethod(self, ctx, methodName):
- if methodName in self.allowedMethods:
- return getattr(self, methodName)
- raise AttributeError(methodName)
+ if not hasattr(super(LiveFragment, self), methodName):
+ method = getattr(self, methodName, None)
+ if method:
+ return method
+ raise AttributeError, 'Method "%s" not allowed' % methodName
# Helper for docFactories defined with stan:
_______________________________________________
Twisted-web mailing list
[email protected]
http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-web
