[Zope3-Users] Re: View or content provider

Stephan Richter srichter at cosmos.phy.tufts.edu
Tue Jul 17 14:47:59 EDT 2007

On Tuesday 17 July 2007 14:18, Daniel Nouri wrote:
> > Content providers and viewlets are not publically traversable. Being
> > traversable does not make them insecure but it offers one more point of
> > access and a potential security hole if not reviewed correctly. Do you
> > test the security for all those little views?
> You're right.  There's potential security holes there.  However, my feeling
> is that views are well understood and that securing them is trivial.

Uh hu, if you say so. I bet you, you do not even know about half the URLs that 
are available on any given context. Just use APIDOC to discover them.

> Actually, I can think of why securing them individually is actually quite
> useful.  Imagine I register a utility that's a list of view or adapter
> names (for my site's left column).  A rendering view would go over that
> list, see if the views apply by trying to look them up on request and
> context and then check security.  Lastly, it would render the remaining
> items.

Well, that tests if the security is too tight not too loose.

> To each his own.  However, I'm not afraid to "roll my own" based on CA
> primitives, and others shouldn't be either.

No you should not, but you should be aware of certain things, including 
security. If you do not want to listen to our experiences you do not have to.

Stephan Richter
CBU Physics & Chemistry (B.S.) / Tufts Physics (Ph.D. student)
Web2k - Web Software Design, Development and Training

More information about the Zope3-users mailing list