On Dec 18, 2007, at 5:08 AM, Roger Ineichen wrote:
HI Jim
Betreff: Re: AW: [Zope-dev] Re: Request typing (to get the
xmlrpc layer discussionfinished)
[...]
Configure views on layers will prevent us form backdoors if
we reuse
this easy installable eggs ;-)
Here is a simple sample of such a built-in backdoor:
At our fresh zope installation:
http://localhost:8080/@@absolute_url
Of corse it's not this dangerous, but it shows you what I mean.
How do skins avoid this?
Let me explain first how I define layer and skins.
- A layer is a configuration discriminator (request type)
for traversable components.
- A named skin (configuration) makes it possible to traverse
components using a context and this layer as disriminator
as url path.
This means in my point of view a layer is a concept which
offers a configuration namespace which somebody can use or
not. If a layer has allready defined views it doesn't affect
anything till we map this layer as traversable namespace.
By a traversable namespace I mean the layer registered by
its traversable name. Also called skin and accessible by
++skin++Name.
If we register "absolute_url" in a layer which isn't
used in a skin, then this view is not available as
traversable view because of the missing layer/named skin
configuration.
Which does nothing to "protect" you from components registered for the
default layer or for IBrowserRequest.
Jim
--
Jim Fulton
Zope Corporation
_______________________________________________
Zope-Dev maillist - Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )
