Dylan Reinhardt wrote:
On Wed, 2003-09-10 at 16:46, Roy Rapoport wrote:
Jamie Heilman wrote: [Zope Security is an oxymoron]
3) Never use DTML.
Why?
Because DTML offends some Zope users' sense of aesthetics, that's why.
It goes beyond that. DTML is a stack of namespaces, and more often than not the end results are unpredictable. The ZMI, largely made up of DTMLFile objects, is painfully susceptible to abuse, for example: drop an object called URL or URL1 or BASEPATH1 into your zodb, then try to manage objects at the same level, but notice how everything breaks... thats DTML in a nutshell. Now, its not that DTML is impossible to write such that the expected results are always realized, its that very few people, including ZC, bother to do so because it means heavy use of fully qualified variables, which are frequently inconvienent and appear overly verbose. (you end up with a lot of "<dtml-var REQUEST.BASEPATH1 html_quote>" instead of "&dtml-BASEPATH1;"). By now folks have mostly learned that explicit qualification is prefered to implicit qualification, and its not simply a matter of aesthetics at stake, but rather a matter of predictability and sanity at even the most basic levels of authorship. DTML was an interesting experiment in contextual namespace collusion, it failed, and now we have ZPT. -- Jamie Heilman http://audible.transient.net/~jamie/ "You came all this way, without saying squat, and now you're trying to tell me a '56 Chevy can beat a '47 Buick in a dead quarter mile? I liked you better when you weren't saying squat kid." -Buddy