[Zope-dev] [RFClet]: What about the request method and the client side trojan?

[Lennart Regebro]

From: "Casey Duncan" <casey@zope.com>
> My point is how do you disinguish <dtml-var foo> meaning "Call foo
> passing everything from the namespace that maps to an arg" from
> <dtml-var foo> meaning "Call foo passing everything, but foo doesn't use
> anything" from <dtml-var foo> "Call foo and foo takes no arguments" from
> <dtml-var foo> "foo is not callable, so return the value of foo".

My point is: Why on earth would you do that? I don't see how preventing the
calling of <dtml-var foo> but allowing <dtml-var "foo()"> would have any
significant positive contribution, (except possibly clarity).

> Also, are we talking about only fixing the "action on GET" for the ZMI
> or for all Zope apps? If the answer is "Just the ZMI" then we are
> talking about doing something that has not been done before: Making the
> ZMI different from all other Zope apps. If the answer is "All Zope Apps"
> then I fear you have just broken every Zope app I have ever seen 8^).

Well, I don't think I have ever used a GET to call a destructive parameter
in any application, but I can see that it is practical. What I have done
though, is to call it manually to do things when I have messed up. :-)

> If I were to implement this, a very simple approach seems attractive:
> Lock the ZODB on GET requests so that no transactions can be committed.
> However, I'm not sure I want to go there.

I'm sure I don't. :-) I just keep thinking "there has to be a better way". I
haven't figured out what yet, though. :-)

Normally you would pop up a confirmation before taking destructive actions,
but I don't see how that is possible via a web interface. This is something
I really hate with the web. Every advancement that had been done in making
user interfaces consistent and usable was thrown out the window.

And I blame Netscape. The bastards.