RE: [Zope-dev] feedback wanted on ZCatalog changes...
-----Original Message----- From: Anthony Baxter [mailto:anthony@interlink.com.au] Sent: Tuesday, January 04, 2000 6:27 PM To: Michel Pelletier Cc: zope-dev@zope.org Subject: Re: [Zope-dev] feedback wanted on ZCatalog changes...
do you think? Can you reproduce a security violation with your patch?
Nope. Not in my application. In _theory_ I can see that you could have a security problem if you weren't aware that the indexing occurs in the context running the findandapply request - but then, it does already (see above). Heck, you could even make it a toggle option in the page 'index acquired objects'.
Ok, this is a good compromise. I'll put a checkbox on the find form and add some logic to the find method to either acquire or not.
[*1] go to www.ekit.com, sign up for an account (about 3 clicks) then click on 'help'. The tree on the left is populated from ZCatalog searches, which amongst other thing only show help for the stuff your account is able to do, the search box is a textindex of the files (which, again, only searches the help for stuff your account can do), and the lookup of a help document (like, when you click on a help link) will hit the ZCatalog to look up the file's path. The help files themselves are maintained by a non-techie in dreamweaver, and uploaded into zope. ZCatalogs rock :)
Thanks! -Michel
Michel Pelletier wrote:
-----Original Message----- From: Anthony Baxter [mailto:anthony@interlink.com.au] Sent: Tuesday, January 04, 2000 6:27 PM To: Michel Pelletier Cc: zope-dev@zope.org Subject: Re: [Zope-dev] feedback wanted on ZCatalog changes...
do you think? Can you reproduce a security violation with your patch?
Nope. Not in my application. In _theory_ I can see that you could have a security problem if you weren't aware that the indexing occurs in the context running the findandapply request - but then, it does already (see above). Heck, you could even make it a toggle option in the page 'index acquired objects'.
Ok, this is a good compromise. I'll put a checkbox on the find form and add some logic to the find method to either acquire or not.
May I suggest another checkbox to enable indexing on a rendered value? the combination of these two enhancements would let you create a single textindex on an acquired method that aggregated several diferent attributes, for example 'title', 'Content', 'Answer', etc. by using an acquired, rendered value, you could standardize on a single index, and just override the method where appropriate in your hierarchy. Michael Bernstein. -- ------------------------------------------- Michael Bernstein webmaven@SPORKlvcm.com FIAWOL {Fandom Is A Way Of Life} http://www.fiawol.com ------------------------------------------- Remove the KFC utensil to reply.
participants (2)
-
Michael Bernstein -
Michel Pelletier