[Zope-CMF] Re: last call before feature freeze! + !CMFTopic!
Florent Guillaume
fg at nuxeo.com
Fri Aug 6 11:13:36 EDT 2004
In article <411228C2.9020907 at zope.com> you write:
> Kai Hoppert wrote:
>
> > i developed a ExpressionCriterion Field for CMFTopic. It acts like a
> normal SimpleStringCriterion.
> > The diffrent is that you can use python and string expressions. For
> example you can
> > write python:portal.portal_membership.getAuthenticatedMember(). So that
> you only need one topic
> > to show all items a authenticated member has create.
> >
> > Does anybody need this. Is it interesting to integrate this in CMFTopic
> for next release.
> > open attachement to see the code.
>
>
> The idea is attractive. I have a couple of questions on the code:
>
> - Why allow only 'string:' and 'python:' expressiosn? For instance,
> your example above would work fine as
> 'portal/portal_membership/getAuthenticatedMember'.
>
> - Do you think we might add more names to the context? E.g.,
> 'criterion' and 'topic'.
>
> - Reusing the 'ssc_edit' form is OK, but maybe we should come up
> with a better one (which explained the names available to the
> expressions?)
>
> and one on the implications:
>
> - Exposing the ability to write code (even in the limited form of
> 'python:' or path expressions) at the "CMS" level might present
> interesting security challenges. I would guess that we should
> think hard about how to restrict access to the ability to create
> EC's.
That's a problem yes. The expression is written by a CMS user having the
right to create topics, but it's executed by any user viewing that
topic. There is a classic possibility of trojans here.
Florent
--
Florent Guillaume, Nuxeo (Paris, France)
+33 1 40 33 71 59 http://nuxeo.com mailto:fg at nuxeo.com
More information about the Zope-CMF
mailing list