[Zope-dev] Using DTML is too difficult

Martijn Faassen m.faassen@vet.uu.nl
Wed, 10 Nov 1999 17:48:29 +0100


Ah, more people replying to my rant. Thanks!

"Andrew M. Kuchling" wrote:

[I say DTML is too much like Perl]
> Amusingly, Greg Ward, the resident Perl expert here, made the same
> comparison after working with Zope for a while, and I can see his
> point.  There are lots of default behaviours that usually do the Right
> Thing, but when they aren't what you want, it can be hard to figure
> out what's going on.

Right. And often things are spelled in rather nasty ways. Note that it
is great that you *can* spell them at all. DTML is undoubtely extremely
powerful.

> When things do go wrong, you don't have a lot of
> diagnostic tools to pin down the problem; what's my namespace stack
> look like?  Developing Zope stuff, I find I'm often inserting "return
> repr(someobject)" into ExternalMethods to check on variable values; a
> Web-based namespace + variable browser would be helpful.

As another trick you can raise an exception. I've used this to debug
products and such. A nice browser would definitely help, though.

> DTML is beautiful when the problem maps nicely to existing DTML
> constructs;

Agreed. Today my coworker wanted a list sorted alphabetically. That was
just a question of adding 'sort=title' to the in tag and it worked.
About a minute work. That's great. We shouldn't lose that.

[discussion of drawbacks of writing Python]

I comment on this in my reply to Rik's post.
 
> Security is, I think, part of the reason that DTML is a sandbox; if
> someone gets your Zope management password, they can edit your pages
> and run SQL commands in your database, but they can't do 'rm -rf /',
> because they can't install ExternalMethods or classes without access
> to the machine's filesystem, and there's no way to do such things from
> DTML.

Don't forget Zope's powerful security delegation features as well.
Someone who is only a local manager is unable to mess up the rest of the
site. DTML security is good here too.

> I'm not sure what the fix is: a hypothetical ngDTML, which is
> different from DTML and would provide more of Python's power?

I think a start from scratch with a 'ngDTML' would definitely be a good
approach, in time. It could still look and feel very similar to current
DTML, but be more consistent and simpler. Current powerful but adhoc
constructs should be generalized or moved into a 'library' somehow.
 
> Better
> debugging tools and support with Zope?  

This would help too.

> Better support for developing
> and debugging your code outside of the Zope server? 

This would help too.

> I think the
> solution lies more with the latter two options; 

Definitely the latter two options, combined with more and better
documentation would be the best short term approach, but I don't think
the current evolution of DTML is good in the long term.

> ngDTML would be
> difficult to design, and it might be easy to repeat the same mistakes.

Definitely it wouldn't be an easy thing to design. But I think this is a
solution we should definitely look at for the longer term.

> Let me hasten to add that this isn't Zope-bashing. 
[snip]

This isn't either. Zope is cool!

Regards,

Martijn