Lennart Regebro wrote: > From: "Oliver Bleutgen" <[EMAIL PROTECTED]> > >>I think zope's management methods (the potentially destructive ones) >>should not accept REQUESTs with REQUEST_METHOD "GET". >> > > Do you have any proposal for how to go about doing this?
Well, I don't see how one could do that systematically, by what I mean doing it on a single point and be done for all methods. I am not too intimate with the deeper innards of zope (ZPublisher & ZODB etc.), but I suspect it would be nearly impossible to decide, in a sane way, what would constitute an active (i.e. destructive or constructve) method. A method that causes a write to the ZODB? No, that wouldn't fly. I was thinking more of something like adding the checks individually to each method in stock zope for which it is appropriate. Brian is of course right in his other mail by stating that this might and will break custom products which use the wrong method, but I wouldn't call a global s/method='GET'/method='POST'/g ( SCNR ;-) ) a code audit. It might be also made customizable via a command line switch to z2.py in the beginning, with default to off. cheers, oliver _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )