On 2007-09-15 17:35:20 +0200, "Roger Ineichen" <[EMAIL PROTECTED]> said:

Hi Christian

Betreff: [Zope3-dev] Re: skin support for xmlrpc

On 2007-09-14 18:54:01 +0200, "Fred Drake" <[EMAIL PROTECTED]> said:

On 9/14/07, Roger Ineichen <[EMAIL PROTECTED]> wrote:
If you register views for a base request type, you
probably will open
a backdor in other projects. Because

I'm not advocating registering views for the base request types
generally, but only the way to specify in the URL what the request
type is.  Because sometimes we really do want completely
separate sets
of XML-RPC (or whatever) interfaces.

Ok, then I suggest:

* Provide an IRequestType interface in zope.publisher
* Provide an ++api++ traverser in zope.traversing which does
`getUtility(IRequestType, *name*)`.
* define class IBrowserSkinType(IRequestType)
* Leave ++skin++ for IBrowserSkinType or just make it the
same as ++api++
* Keep layer="" on <xmlrpc:view>, <browser:page> etc.


If I understand the concept correct. This is a builtin backdoor.

Doesn't this allow to bypass the Apache rewrite rule?
With: http://www.foobar.com/++api++xmlrpc/doSomething

If the rewrite rule in Apache is:
RewriteRule (/?.*)

Or does the ++api++ namespace recognize the skin?
Which means the url rewritten url is.
With: http://www.foobar.com/++skin++OnlyHere/++api++xmlrpc/doSomething

A way to avoid this is to allow applying a skin / request type only once.

Zope3-dev mailing list
Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com

Reply via email to