Jamie Heilman wrote:
Martijn Faassen wrote:

Shane Hathaway wrote:

There certainly ought to be a way to create an unrestricted PageTemplateFile, though it should be an explicit step.

That is a good suggestion. I'd like that option. It would also be a potential performance benefit.

On the other hand, in situations where the PageTemplate designers are *not* security conscious (they're designers, not primarily programmers) the option of explicit checks is useful.

PageTemplateFile is a class used by Product authors, just like DTMLFile. If you can write a product, you are either security conscious or your product is worthless.

I don't always write products by myself. I work in a larger team which may include some people who are very good at making beautiful HTML and can get a page template to work, but aren't Python developers and can't be expected to be experts on Zope security. In such situations it can be a good idea that security checks against the underlying API take place, though of course other forms of collarboration are possible where this need does not exist.



Zope-Dev maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )

Reply via email to