[Grok-dev] Re: HTTP PUT and HTTP DELETE security support
Philipp von Weitershausen
philipp at weitershausen.de
Thu May 17 16:20:56 EDT 2007
Martijn Faassen wrote:
> This code makes the assumption that a method '__call__' is always the
> thing to check. This is true in case of the view,
It's true for all things that end up as published objects of a *browser*
request. This is what we commonly call a browser page. The interface
that is mandated here is IBrowserPublisher, it includes __call__.
> but that's not right in case of PUT.
Zope 3's HTTP publication looks up views where name=request.method and
then calls a method with that same name on that view object.
> Looks like I'll have to introduce my own version of
> callObject for GrokHTTPPublication that doesn't make this assumption. I
> hacked around this for now by disabling the whole checker thing altogether.
>
> BrowserPublication handles GET and POST, where this assumption makes
> sense. In case of PUT and DELETE, it'll try to call a method called PUT
> or DELETE on a view registered for IHTTPRequest.
Right.
[snip discussion of various approaches to implementing a PUT view]
I would suggest introducing a grok.REST class:
class MammothREST(grok.REST):
def PUT(self):
pass
def DELETE(self):
pass
def ANY_HTTP_VERB(self):
pass
Naturally, we'll have to come up with a decent interpretation of the
GET/POST case. By default, GET/POST are interpreted as browser requests
and the browser publication looks up a default view ('index') when your
GETting or POSTing to a resource (/herd/manfred ends up really being
/herd/manfred/index). Perhaps if there's no such 'index' view, Grok's
browser publication will fall back to the REST adapter and lookup the
"GET" view (or "POST view, respectively):
class Herd(grok.Container):
pass
class HerdREST(grok.REST):
def POST(self, item_name, name='Manfred'):
self.context[item_name] = mammoth = Mammoth(name)
self.redirect(self.url(mammoth))
We could also do it the other way around, like you suggest, and look for
the REST handlers for GET/POST first, before falling back to 'index'
browser pages.
> It will take a bit of work to make this happen though, as I don't think
> the zope 3 publisher supports doing this out of the box.
The Zope 3 publisher supports everything out-of-the-box :). That is to
say that the actual policy is in the publication (what happens when,
which views to look up, etc.).
> We'll have to
> to make some code that looks for this Post thing first, and if it's not
> there, fall back on the normal view behavior. This has some performance
> implications, however (an extra view lookup).
An extra adapter lookup is not likely going to be a big performance
killer. Also, let's not optimize prematurely :).
> Comments? Ideas? Eager Zope 3 publisher hackers volunteering to start
> building this? :)
I've long been wanting to build a saner publication than
zope.app.publication. With as many modifications as we're planning, it
might make sense to start from scratch...
Btw, I suppose we've now settled on the idea of making Grok explicitly
*not* compatible with traditional Zope 3 browser pages defined via
<browser:page />, right?
--
http://worldcookery.com -- Professional Zope documentation and training
More information about the Grok-dev
mailing list