Zope XML-RPC with SQL Methods
Hi All, I've been playing around a bit with the recently added XML-RPC support for Zope, graciously added by Eric Kidd ( Thank you Eric! ) and have been able to create External Methods and access them remotely from two different XML-RPC clients ( xmlrpclib in Python and Frontier::Client in Perl). This is all VERY cool! I was then wondering if it would be possible to directly call a SQL Method from the client and get results ( ok maybe I was reaching too far too quick, but what the heck I gave it a shot...). This of course did not work. I tried a variety of different SQL methods (all selects ranging from returning single result record to returning multiple record sets). It seems as though SQL Methods are not directly callable from the web, but rather must be referenced from another DTML method/document. When I do try to directly call a SQL Method from the web it always tries to take me to the 'manage_TestForm' for the method. It seems that 'index_html' always redirects there. Is there some deep level of Zen for why this must be the case? Are there security implications if SQL Methods were directly callable? It seems to me that to be able to do: import xmlrpclib s = xmlrpclib.Server("http://somemachine.domain/") result_records = s.method_folder.some_sql_method() would be just WAY TOO COOL! What would it take to make SQL methods directly callable from XML-RPC? Am I just missing something? (very possible :^) Thanks in advance, Dave -- ---------------------------------------------------- David R. White Raytheon Electronic Systems Process Support (508) 440-2087 528 Boston Post Rd. Sudbury, MA 01776 davew@ed.ray.com ----------------------------------------------------
David White wrote:
Hi All,
I've been playing around a bit with the recently added XML-RPC support for Zope, graciously added by Eric Kidd ( Thank you Eric! ) and have been able to create External Methods and access them remotely from two different XML-RPC clients ( xmlrpclib in Python and Frontier::Client in Perl). This is all VERY cool!
I was then wondering if it would be possible to directly call a SQL Method from the client and get results ( ok maybe I was reaching too far too quick, but what the heck I gave it a shot...). This of course did not work. I tried a variety of different SQL methods (all selects ranging from returning single result record to returning multiple record sets). It seems as though SQL Methods are not directly callable from the web, but rather must be referenced from another DTML method/document. When I do try to directly call a SQL Method from the web it always tries to take me to the 'manage_TestForm' for the method. It seems that 'index_html' always redirects there.
Is there some deep level of Zen for why this must be the case?
The short answer is no. (There is a longer answer that is a bit more ambiguous, but I'll spare you that. ;) Really, when doing xml- rpc, Zope should not try to use index_html. I'll fix this.
Are there security implications if SQL Methods were directly callable?
Not really. (snip)
would be just WAY TOO COOL! What would it take to make SQL methods directly callable from XML-RPC?
Three things: - the index_html thing needs to be fixed. - The thing that marshals results need to be able to figure out how to marshal SQL method results. SQL methods return "result" objects, which are sequences of records. Records are objects that can be treated as mapping objects, sequences, or instances. Results need to be marshalled as xml-rpc arrays of structs. I'm not sure what protocols are needed to make this happen. I'll give this some thought. - SQL method expect parameters to be provided by name. Xml-rpc wants to provide parameters positionally. SQL methods would need to be changed to handle positional parameters. If we has TTW Python methods, then I'd suggest using Python methods that had positional arguments and called SQL methods. You could do this with External methods now. For example, imagine that you have a SQL method, sql, that takes parameters x and y, you could have an external method like: def call_sql(x, y, self): """Call an SQL method and return a list of dictionaries This will get converted to an xml-rpc array of structs """ result=self.sql(x=x, y=y) r=[] names=result.names() for row in result: d={} for name in names: d[name]=row[name] r.append(d) return r Alternatively, if you want an array of arrays, with maybe some column meta data: def call_sql(x, y, self): """Call an SQL method and return a list of dictionaries This will get converted to an xml-rpc array of structs """ result=self.sql(x=x, y=y) return result.names(), result.data_dictionary(), map(tuple, result) Jim -- Jim Fulton mailto:jim@digicool.com Python Powered! Technical Director (888) 344-4332 http://www.python.org Digital Creations http://www.digicool.com http://www.zope.org Under US Code Title 47, Sec.227(b)(1)(C), Sec.227(a)(2)(B) This email address may not be added to any commercial mail list with out my permission. Violation of my privacy with advertising or SPAM will result in a suit for a MINIMUM of $500 damages/incident, $1500 for repeats.
On Wed, Jun 23, 1999 at 11:05:46AM -0400, Jim Fulton wrote:
The short answer is no. (There is a longer answer that is a bit more ambiguous, but I'll spare you that. ;) Really, when doing xml- rpc, Zope should not try to use index_html. I'll fix this.
Thank you. I'd never understand how to fix this. :-)
- The thing that marshals results need to be able to figure out how to marshal SQL method results. SQL methods return "result" objects, which are sequences of records. Records are objects that can be treated as mapping objects, sequences, or instances. Results need to be marshalled as xml-rpc arrays of structs. I'm not sure what protocols are needed to make this happen. I'll give this some thought.
Also, watch out for methods which return any of the following: '' 0 [] Z ORB doesn't like values which evaluate to false, and won't successfully return them via XML-RPC. This might occur if query results were empty, for example. I'm trying to figure out how to fix this for XML-RPC without breaking other parts of Zope.
- SQL method expect parameters to be provided by name. Xml-rpc wants to provide parameters positionally. SQL methods would need to be changed to handle positional parameters.
I now have a wrapper product which allows positional parameters to be used from DTML. This is a slight abuse of DTML, but allows XML-RPC wrappers to be written through the web in the absence of Python TTW. Cheers, Eric
On Wed, Jun 23, 1999 at 09:27:56AM -0400, David White wrote:
Is there some deep level of Zen for why this must be the case? Are there security implications if SQL Methods were directly callable? It seems to me that to be able to do:
import xmlrpclib s = xmlrpclib.Server("http://somemachine.domain/") result_records = s.method_folder.some_sql_method()
would be just WAY TOO COOL! What would it take to make SQL methods directly callable from XML-RPC? Am I just missing something? (very possible :^)
I would like this to work, too. ;-) Unfortunately, I really don't grok this part of Zope very well. See my next message for details. Cheers, Eric
participants (3)
-
David White -
Eric Kidd -
Jim Fulton