[Zope-CMF] AW: last call before feature freeze! + !CMFTopic!

Kai Hoppert kai.hoppert at tomcom.de
Thu Aug 5 09:15:30 EDT 2004


>The idea is attractive.  I have a couple of questions on the code:

>   - Why allow only 'string:' and 'python:' expressiosn?  For instance,
>     your example above would work fine as
>     'portal/portal_membership/getAuthenticatedMember'.

At this point i looked in PageTemplates how the Expressions are handled there...
I just tested what you said....cool this really works :) nice i don't know that 
so i would make sense to remove this testing part.

>   - Do you think we might add more names to the context?  E.g.,
>     'criterion' and 'topic'.

Sorry here i don't know what you really want..do you mean more tabs?

>   - Reusing the 'ssc_edit' form is OK, but maybe we should come up
>     with a better one (which explained the names available to the
>     expressions?)

Perhaps here can be a little redesign perhaps something such as the help Boxes in Plone if you click
in the field while editing a object. Maybe here can be also a i18n translation?!?

>and one on the implications:

>   - Exposing the ability to write code (even in the limited form of
>     'python:' or path expressions) at the "CMS" level might present
>     interesting security challenges.  I would guess that we should
>     think hard about how to restrict access to the ability to create
>     EC's.

If i understand it right topics are queries about the catalog so you doesn't care
wich expression the user use because every result will be checked if the user has the permission to
see it or not. If i use string criterion and take name admin and there are private items for him i will not see
them in topic or not dependent on the right i have. So Expression Criterion will be the same. Only the string result for the Expression
is given to the catalog query. So nothing wich can't also be created with string expression.

Unless we remove the string conversion and so for exaple we are also be able to query about a controled list of object
types. that could be also cool :).

But then you have especialy to write portal/portal_membership/getAuthenticatedMember/id.
That was a reason why i used string conversion because here i had the user object.

Greetings 

Kai


More information about the Zope-CMF mailing list