[Grok-dev] HTTP PUT and HTTP DELETE security support

Christian Theune ct at gocept.com
Thu May 17 03:25:36 EDT 2007


I'll have a look at the Zope 3 code in the train that I'm about to jump

I'm not keen about extending the existing API.

Adding another view sounds more useful right now, but we'll see.


Am Montag, den 14.05.2007, 23:23 +0200 schrieb Martijn Faassen:
> Hi grokkers, especially Philipp and Christian,
> I just tried to issue a HTTP PUT request to a Grok view, but traversal 
> totally failed even before it reached the view, because .get was a 
> forbidden attribute on a container. Looks like our security stripping 
> wasn't complete enough.
> I've hack-fixed this by amending Grok's configure.zcml to have this:
> <publisher
>     name="BROWSER"
>     factory=".publication.GrokBrowserFactory"
>     methods="GET POST HEAD PUT DELETE"
>     mimetypes="*"
>     priority="11"
>     />
> Previously 'PUT' and 'DELETE' were missing.
> Of course this has a reason - they aren't there in the Zope 3 publisher 
> registration either. Why not? I'm not sure. There's some PUT support 
> elsewhere in zope.app.http, but what that does exactly I'm not sure 
> about. Anyhow, I'd like Zope 3's security get out of my way, but we need 
> to understand what's going on with PUT in Zope 3 a bit more before I'll 
> feel secure in committing this change.
> My use case is that I want PUT (and DELETE) to be handled by views. When 
> the 'index' view receives a PUT request it detects this in the update 
> method and does stuff with the PUTTED data.
> Right now I have to hack to get to the actual data that's being PUT:
>       data = self.request.bodyStream.getCacheStream().getvalue()
> This because I don't want the normal GET/POST argument parser to try to 
> turn the PUT body into a dictionary. but want whatever was submitted.
> If this use case is considered to be common, we could consider adding 
> special functionality for this to Grok's views, perhaps a special 
> raw_update method that receives the putted input stream as an argument 
> (that would be called for at least POST and PUT, but perhaps we can make 
> it work for GET as well).
> Anyone have any insights about how this works in Zope 3 and how Grok 
> should be handling this?
> Regards,
> Martijn
> _______________________________________________
> Grok-dev mailing list
> Grok-dev at zope.org
> http://mail.zope.org/mailman/listinfo/grok-dev
gocept gmbh & co. kg - forsterstraße 29 - 06112 halle/saale - germany
www.gocept.com - ct at gocept.com - phone +49 345 122 9889 7 -
fax +49 345 122 9889 1 - zope and plone consulting and development
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
Url : http://mail.zope.org/pipermail/grok-dev/attachments/20070517/965bf3bb/attachment-0001.bin

More information about the Grok-dev mailing list