[Zope-dev] PageTemplateFile vs. Bindings vs. Security
Martijn Faassen
faassen at infrae.com
Thu Mar 25 12:57:07 EST 2004
Jamie Heilman wrote:
> Martijn Faassen wrote:
>
>>Shane Hathaway wrote:
>>
>>>There certainly ought to be a way to create an unrestricted
>>>PageTemplateFile, though it should be an explicit step.
>>
>>That is a good suggestion. I'd like that option. It would also be a
>>potential performance benefit.
>>
>>On the other hand, in situations where the PageTemplate designers are
>>*not* security conscious (they're designers, not primarily programmers)
>>the option of explicit checks is useful.
>
> PageTemplateFile is a class used by Product authors, just like
> DTMLFile. If you can write a product, you are either security
> conscious or your product is worthless.
I don't always write products by myself. I work in a larger team which
may include some people who are very good at making beautiful HTML and
can get a page template to work, but aren't Python developers and can't
be expected to be experts on Zope security. In such situations it can be
a good idea that security checks against the underlying API take place,
though of course other forms of collarboration are possible where this
need does not exist.
Regards,
Martijn
More information about the Zope-Dev
mailing list