AW: AW: [Zope-dev] Re: Request typing (to get the xmlrpc layer discussionfinished)

Jim Fulton jim at zope.com
Tue Dec 18 08:57:35 EST 2007


On Dec 18, 2007, at 5:08 AM, Roger Ineichen wrote:

> HI Jim
>
>> Betreff: Re: AW: [Zope-dev] Re: Request typing (to get the
>> xmlrpc layer discussionfinished)
>
> [...]
>
>>> Configure views on layers will prevent us form backdoors if
>> we reuse
>>> this easy installable eggs ;-)
>>>
>>> Here is a simple sample of such a built-in backdoor:
>>>
>>> At our fresh zope installation:
>>> http://localhost:8080/@@absolute_url
>>>
>>> Of corse it's not this dangerous, but it shows you what I mean.
>>
>>
>> How do skins avoid this?
>
> Let me explain first how I define layer and skins.
>
> - A layer is a configuration discriminator (request type)
>  for traversable components.
>
> - A named skin (configuration) makes it possible to traverse
>  components using a context and this layer as disriminator
>  as url path.
>
> This means in my point of view a layer is a concept which
> offers a configuration namespace which somebody can use or
> not. If a layer has allready defined views it doesn't affect
> anything till we map this layer as traversable namespace.
> By a traversable namespace I mean the layer registered by
> its traversable name. Also called skin and accessible by
> ++skin++Name.
>
> If we register "absolute_url" in a layer which isn't
> used in a skin, then this view is not available as
> traversable view because of the missing layer/named skin
> configuration.


Which does nothing to "protect" you from components registered for the  
default layer or for IBrowserRequest.

Jim

--
Jim Fulton
Zope Corporation




More information about the Zope-Dev mailing list