[Zope-dev] [RFClet]: What about the request method and the client side trojan?

[Toby Dickenson]

On Friday 12 Apr 2002 7:19 pm, Jeffrey P Shell wrote:

>that your proposal isn't up there (or the catalog is up to its old charms ;)

No, its not up there. 

>But now, does this mean I have to go through and tag every method that might
>cause a state change?  Or might not?

You wont ever *have* to do anything to your own methods. You might *want* to, 
if you want the extra protection against client side trojans that this 
declaration will give.

>Now that I'm understanding things more, I never call non-idempotent methods
>(I hope I'm using that term right) from DTML anymore

Me to. Thats why I was suprised to see the opposition.

>Overall, I still don't know how I feel about the whole thing.  It's good to
>have Zope as secure as possible, but if putting that security makes it
>suddenly much harder to develop for or upgrade to/for, I worry about the
>support costs involved.

Indeed.