[Zope-dev] Zope logic

Casey Duncan casey@zope.com
Thu, 30 May 2002 13:43:22 -0400 

The namspace traversal in Zope 2 severely violates the principle of least=
=20
surprise IMO. Although you can use this to clever ends, it opens up many=20
doors to misuse of a site or even significant security holes.

For instance, it used to be possible to access the Control Panel (and shu=
tdown=20
Zope) as a user defined in a subfolder of the root who had the local Mana=
ger=20
role, just by forming a URL like:

http://somezope/myfolder/Control_Panel/manage_main

The point is that this grants way too much power to the end user to muck =
up=20
the namespaces. It is difficult, if not impossible to design an app in Zo=
pe=20
today that accounts for all possible namespace variations gracefully, sin=
ce=20
there are effectively an infinite number of them for every given object i=
n=20
Zope based on different URLs.=20

Now I won't argue that implicit acquisition isn't useful. It rules in sol=
ving=20
(and simplifying) problems in creating highly coordinated objects. But, b=
eing=20
an implicit and magical thing, it is better if it is invoked through an=20
explicit gesture rather than simply being there all the time. Having it=20
around all the time also makes it easy to use it when its not the best (o=
r=20
most robust) solution because it also excels in creating namespace chaos =
that=20
is difficult to predict and account for.

This is what Zope3 realizes.

-Casey

On Thursday 30 May 2002 12:42 pm, Adrian Hungate wrote:
> Hmmm... interesting points... However I almost completely disagree.
>=20
> The only part of URL implicit acquisition that I have a problem with is
> acquiring from outside the VHost, but if you plan properly, you can eve=
n
> avoid this.
>=20
> I have written several sites that use this feature, and I have found no
> significant problems with it, and as for it being a problem for caching
> proxies, many of the objects that get acquired are dynamic, and provide
> different content based on context, so multiple cache entries is the co=
rrect
> answer.
>=20
> Adrian...
>=20
> --
> Adrian Hungate
> EMail: adrian@haqa.co.uk
> Web: http://www.haqa.co.uk
>=20
> ----- Original Message -----
> From: "Toby Dickenson" <tdickenson@geminidataloggers.com>
> To: "Lennart Regebro" <lennart@torped.se>; "Wei He" <hewei@mail.ied.ac.=
cn>;
> <zope-dev@zope.org>
> Sent: Thursday, May 30, 2002 4:07 PM
> Subject: Re: [Zope-dev] Zope logic
>=20
>=20
> On Thursday 30 May 2002 10:29 am, Lennart Regebro wrote:
>=20
> > It not only sounds good, but it is good.No, it' is fantastic. Amazing=
=2E
> > Totally unbelivingly great! It's one of the best and main features of
> Zope.
>=20
> Is anyone relying on your site to provide information? How do you test =
your
> site to make sure that every possible url (not just the ones you link t=
o) do
> not give out misinformation.
>=20
> Some specific problems that I have encountered:
>=20
> 1. Content that crosses between virtual hosts.
>=20
> If two different virtual hosts come from the same zope then it is possi=
ble
> to
> construct a URL so that content from one site appears under the hostnam=
e
> (and
> https certificate!) of another.
>=20
> 2. A page that uses a mix of context and containment
>=20
> If a page is built up with some content found from its context, and oth=
er
> content from containment, then it is possible to construct a URL so tha=
t
> apparently related information comes from unrelated objects.  Imagine a
> medical imaging database, where it was possible for a page do display t=
he
> wrong patient name above an image.
>=20
>=20
> My conclusions are:
>=20
> a. implicit acquisition is dangerous
>=20
> b. acquisition that searches outside the containment hierarchy is evil.
>=20
>=20
> Im not keeping up with Zope 3 development..... how does Zope 3 handle
> acquisition?
>=20
>=20
> _______________________________________________
> Zope-Dev maillist  -  Zope-Dev@zope.org
> http://lists.zope.org/mailman/listinfo/zope-dev
> **  No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope )
>=20
>=20
>=20
>=20
> _______________________________________________
> Zope-Dev maillist  -  Zope-Dev@zope.org
> http://lists.zope.org/mailman/listinfo/zope-dev
> **  No cross posts or HTML encoding!  **
> (Related lists -=20
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope )
>=20