Jamie Heilman wrote:
Martijn Faassen wrote:
On the other hand, in situations where the PageTemplate designers are *not* security conscious (they're designers, not primarily programmers) the option of explicit checks is useful.
PageTemplateFile is a class used by Product authors, just like DTMLFile. If you can write a product, you are either security conscious or your product is worthless.
exactly. let's not design technical solutions to non-technical problems.
If a technical solution indeed exists to a non-technical problem, let's by all means use it to solve it. As then we can forget about it. :)
Reality is of course more subtle, as in this case the technical solution (no need to worry about page template security declarations at all) causes increased complexity in some cases.
These kind of tools (ie Zope and Zope products) should be versatile, and constraints on their usage should come from best practices anc conscient knowledge and not from the way the tools are implemented.
I'm advocating an explicit option to disable security checks here. I'm just also advocating that the current behavior can be sensible in certain circumstances. This is the only backwards compatible way anyway.
Anyway, I disagree on the general philosophical point that it is undesirable to have tool or framework support for various best practices and experience.
_______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )