On Dec 18, 2007, at 5:08 AM, Roger Ineichen wrote:
HI Jim
Betreff: Re: AW: [Zope-dev] Re: Request typing (to get the xmlrpc layer discussionfinished)
[...]
Configure views on layers will prevent us form backdoors if we reuse this easy installable eggs ;-)
Here is a simple sample of such a built-in backdoor:
At our fresh zope installation: http://localhost:8080/@@absolute_url
Of corse it's not this dangerous, but it shows you what I mean.
How do skins avoid this?
Let me explain first how I define layer and skins.
- A layer is a configuration discriminator (request type) for traversable components.
- A named skin (configuration) makes it possible to traverse components using a context and this layer as disriminator as url path.
This means in my point of view a layer is a concept which offers a configuration namespace which somebody can use or not. If a layer has allready defined views it doesn't affect anything till we map this layer as traversable namespace. By a traversable namespace I mean the layer registered by its traversable name. Also called skin and accessible by ++skin++Name.
If we register "absolute_url" in a layer which isn't used in a skin, then this view is not available as traversable view because of the missing layer/named skin configuration.
Which does nothing to "protect" you from components registered for the default layer or for IBrowserRequest. Jim -- Jim Fulton Zope Corporation