> Betreff: [Zope3-dev] Re: skin support for xmlrpc
> On 2007-09-14 18:54:01 +0200, "Fred Drake" <[EMAIL PROTECTED]> said:
> > On 9/14/07, Roger Ineichen <[EMAIL PROTECTED]> wrote:
> >> If you register views for a base request type, you
> probably will open
> >> a backdor in other projects. Because
> > I'm not advocating registering views for the base request types
> > generally, but only the way to specify in the URL what the request
> > type is. Because sometimes we really do want completely
> separate sets
> > of XML-RPC (or whatever) interfaces.
> Ok, then I suggest:
> * Provide an IRequestType interface in zope.publisher
> * Provide an ++api++ traverser in zope.traversing which does
> `getUtility(IRequestType, *name*)`.
> * define class IBrowserSkinType(IRequestType)
> * Leave ++skin++ for IBrowserSkinType or just make it the
> same as ++api++
> * Keep layer="" on <xmlrpc:view>, <browser:page> etc.
If I understand the concept correct. This is a builtin backdoor.
Doesn't this allow to bypass the Apache rewrite rule?
If the rewrite rule in Apache is:
Or does the ++api++ namespace recognize the skin?
Which means the url rewritten url is.
But then, do we need to regsiter the ++api++ for each
layer? I guess this is not what you are asking for. right?
My main issue on this thread is allways the same:
Skins are a security layer. And don't bypass them,
then this let us use views which we don't like to
provide in a layer/skin.
I really don't understand this thread. Does nobody
take care on default traversal APIs? I'm really
confused now. Probably I don't see soemthing or understand
it not correctly. Do you understand what I mean this
this backdoor use case? Or I'm totaly wrong?
> Christian Zagrodnick
> gocept gmbh & co. kg . forsterstrasse 29 . 06112
> halle/saale www.gocept.com . fon. +49 345 12298894 . fax. +49
> 345 12298891
> Zope3-dev mailing list
Zope3-dev mailing list