[Zope-dev] Annouce Developer Version DTML-Page-Contract

ender kthangavelu@earthlink.net
Mon, 22 Jan 2001 06:31:54 -0800


hello zen masters

i just finished documenting a developer version of a port of the ACS's 
(arsdigita community system) acs_page_contract to dtml.  test it out,
i'm pretty sure everyone will be happy with the simplification of the 
resulting dtml. 

feed back and thoughts welcome.

if no bugs are found in the next week or so i'll make it a general release,
new filters are always welcome.

available at 

http://www.zope.org/Members/k_vertigo/PageContract.tgz

kapil


readme included below.

README.txt

INSTALL:
	extract PageContact.tgz in your zope directory. it will create
	a python product in lib/python/Products. you will need to
	restart zope before you can use dtml-contract

UNINSTALL:
	remove the PageContract directory from lib/python/Products and
	restart zope.

I. What
	Page-Contract is a python product that adds a new type of dtml-tag 
	to your zope installation. dtml-contract is a multi-purpose tag that
	is designed to provide documentation, marshalling and filtering of
	request data, and custom error handling of the request data. the
	documentation comes from a read only section of the contract 
	which should describe the purpose of the object, its author, and
	some information about its parameters. the marshalling and filtering
	is done by naming variables expected in the request and associating
	one or more filters with those variables. PageContract comes with
	a set of prebuilt filters although it can easily be extended by
	writing new filters. lastly it allows association of different
	error handlers to different variables.


II. Why
	Zope already includes facilties to perform simple marshalling of 
	REQUEST values submitted via GET/POST into python data_types. This
	facility is built into ZPublisher. There are a couple of problems
	with this facility in real world usage. First, ZPublishers 
	marshalling isn't secure because it retrievesmarshalling info from
	the REQUEST, a cracker could perform url surgery to by pass
	the marshalling. Second, ZPublishers marshalling isn't easily
	extensible to provide application level support of. The marshalling
	is buried square in the guts of the Publishing process, even if you
	did extend it would be too early in the Publishing of the object to
	perform any meaningful application specific processing (ie you don't
	know where you're going so how do you know what you'll see when you 
	get there). Third ZPublisher has no concept of excluding parts of 
	the REQUEST that aren't needed, this is mitigated by Zope placing the
	REQUEST on the bottom of the namespace stack, however it still 
	provides a means for accidents (ie. you're expecting this object to have this
	attr, but it doesn't but the REQUEST has that attr). dtml-contract 
	can optionally strip the REQUEST of variables not explicitly named
	within it. Fourth, ZPublisher is inflexible about how it handles 
	errors. ZPublisher has hardcoded return values whenever it hits
	a bad input AND it short circuits the evalutation. Users don't 
	get informative messages regarding their errors other than they 
	made one. dtml-contract differs in that it collects all errors 
	and associates them with their variables and provides the option
	of custom error pages on a variable by variable basis with 
	information passing about the errors. (The current implementation
	is limited in that it only passes a list of filter errors to the
	error handler via a url string.)

	The dtml-contract also hopes to offer a standardized form
	of documenting your zope objects (DTML_METHODS, DOCUMENTS,
	and the like) by standardizing on a documentation format
	and a location for that documentation.


III. How
	So how do you use it?

	<dtml-contract>
	
	Documentation about this object

	@author Kapil Thangavelu <k_vertigo@yahoo.com>
	@params myobj_id the id of the object where after
	@params title we'll set the object's title to this value
	@params thedate should be the range of the bada and bing
            @params foobar optional integer value that tells us whats going on

	<dtml-params>

	myobj_id:objid
	foobar:integer,optional
	thedate:range(date, 1.1.1, 11/11/11)
	title:string
	<dtml-exceptions>
	myobj_id:my_error_page
	generic_error_page
	</dtml-contract>

	Generally dtml-contracts should be used at the start of a dtml
	page. why? so they can be easily referenced for documentation
	and knowledge of the expected parameters.

	Caveats. Note that there are no strict enforcements of the documentation
	section. Although some future documentation extraction utility 
	would benefit from it:) Also note other dtml tags are not allowed
	within the dtml-contract, trying to do so will have it abort. this
	is done mainly as a security feature to prevent malicious code
	from doing bad things (TM) to your zope server.

	I have made some attempts to make this code fast. it will ignore
	obviously alike filters such as :integer,naturalnum and it will 
	execute only naturalnum since it is the more exclusive of the 
	filters. it will short circuit on an optional variable if its not
	in the request.

	Full Documentation on the syntax is in 
	README_SYNTAX
	
	So how do you write a filter?
	see the README_FILTER document for more info on filter
	interfaces.

IV. Who
	@author Kapil Thangavelu <k_vertigo@yahoo.com>
 	
	thanks to Petru Paler for the seed.
	thanks to the members of Hayholt, AU for testing an alpha version
	and offering feedback on this documentation.

	thanks to ArsDigita.com for putting out a quality open 
	source community-toolkit and acs_page_contract upon which this is based.

	and of course thanks to Digital Creations for creating and releasing Zope

	PAGE_CONTRACT IS RELEASED UNDER THE GPL.

V. When (this section included for completeness:)
	Where do you want to go tomorrow?
	www.zope.org, ZopeDealers to the Internet