[Zope] organizational questions
Martijn Faassen
M.Faassen@vet.uu.nl
Mon, 26 Apr 1999 14:43:05 +0200
Martin Dougiamas wrote:
>
> Paul Everitt wrote:
> >
> >
> > Martin Dougiamas wrote:
> > > The funny thing is that
> > >
> > > <!--#var "myapp.myfunction"-->
> > >
> > > correctly returns all the raw content of the DTML document,
> > > so it *can* find it OK.
> > >
> > > Any ideas?
> >
> > The quotes switch DTML into "expr" (expression) mode. Outside of
> > expressions, DTML is limited to very safe operations. Getting
> > attributes (the dot) is an operation that requires the security
> > machinery to get involved, to make sure that you have permission.
>
> Oh. I was logged in as manager .... so I didn't think security was
> a problem. Is there any other way to do this?
I think you misunderstood Paul just now; he didn't mean security was a
problem, he just intended to give an explanation of why the foo.bar
trick only works in quotes. The quotes are simply a short cut to
'expr="foo.bar"', i.e.:
<!--#var "foo.bar"-->
is the same as
<!--#var expr="foo.bar"-->
but
<!--#var foo.bar-->
doesn't work, as apparently this expression is too complicated to
evaluate safely without the quotes.
The quotes *are* necessary, though. Is this a big problem?
Perhaps a Next Generation DTML could do away with the first 'quoteless'
notation altogether, to avoid such confusion? Hm..
Regards,
Martijn