So, in this validation framework, do you envision having a
parameter-validating routine being invoked whenever a publicly-exposed
method is called by DTML methods, or did you want to focus on mere
HTML form validation/stripping?

      I'm asking because I've had situations when I've needed the
ability to restrict access to methods based on the values of their
parameters -- that's a little more fine-grained than the current
security machinery allows. I've always thought that it might be nice
to provide a hook for each method in a Zope class (similar to
declarative security statements), and to use this hook to validate the
parameters, according to the needs of the user.

      For string parameters, perhaps we can also have the ability to
specify a "filter" -- something like a search and replace statement,
with Sed-like syntax.

"Andy" <[EMAIL PROTECTED]> wrote:
> That depends where you do the checking, yes html validation in just a form
> is not as secure as checking at the application level. What I am suggesting
> is adding the HTML validation framework into the core of Zope so people can
> add checking to any level of their application as they wish. Making a
> standard interface to this gives a the developer chance to put the checking
> in at the level they choose.

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to