On Tuesday 18 December 2007, Jim Fulton wrote:
If we register "absolute_url" in a layer which isn't used in a skin, then this view is not available as traversable view because of the missing layer/named skin configuration.
Which does nothing to "protect" you from components registered for the default layer or for IBrowserRequest.
Yes, because in our code we never ever expose the registrations in the default layer. We consider that layer hostile. :-) (Eventually we hope to rid ourselves from even importing any configuration that registers into the browser layer, but the Zoep packages need some refactoring to do this in a sane way.) IBrowserRequest is a big problem, since it is the base interface for all layers. I used to scan the ZCML for components registered for IBrowserRequest. I have not done this in a while, but should make it a habit again. I hope that security analysis tools, such as z3c.securitytool will eventually help us identify those problems. Regards, Stephan -- Stephan Richter CBU Physics & Chemistry (B.S.) / Tufts Physics (Ph.D. student) Web2k - Web Software Design, Development and Training