[Grok-dev] HTTP PUT and HTTP DELETE security support

[Martijn Faassen]

Hi grokkers, especially Philipp and Christian,

I just tried to issue a HTTP PUT request to a Grok view, but traversal 
totally failed even before it reached the view, because .get was a 
forbidden attribute on a container. Looks like our security stripping 
wasn't complete enough.

I've hack-fixed this by amending Grok's configure.zcml to have this:


<publisher
    name="BROWSER"
    factory=".publication.GrokBrowserFactory"
    methods="GET POST HEAD PUT DELETE"
    mimetypes="*"
    priority="11"
    />

Previously 'PUT' and 'DELETE' were missing.

Of course this has a reason - they aren't there in the Zope 3 publisher 
registration either. Why not? I'm not sure. There's some PUT support 
elsewhere in zope.app.http, but what that does exactly I'm not sure 
about. Anyhow, I'd like Zope 3's security get out of my way, but we need 
to understand what's going on with PUT in Zope 3 a bit more before I'll 
feel secure in committing this change.

My use case is that I want PUT (and DELETE) to be handled by views. When 
the 'index' view receives a PUT request it detects this in the update 
method and does stuff with the PUTTED data.

Right now I have to hack to get to the actual data that's being PUT:

      data = self.request.bodyStream.getCacheStream().getvalue()

This because I don't want the normal GET/POST argument parser to try to 
turn the PUT body into a dictionary. but want whatever was submitted.

If this use case is considered to be common, we could consider adding 
special functionality for this to Grok's views, perhaps a special 
raw_update method that receives the putted input stream as an argument 
(that would be called for at least POST and PUT, but perhaps we can make 
it work for GET as well).

Anyone have any insights about how this works in Zope 3 and how Grok 
should be handling this?

Regards,

Martijn