cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefano Mazzocchi <stef...@apache.org>
Subject Views Internal-Only [Re: [RT] XMLForm]
Date Mon, 26 May 2003 15:19:44 GMT
on 5/26/03 2:26 AM Ugo Cei wrote:


> And last but not least, my personal pet peeve: make "views" internal 
> only. At the moment, IIUC, you cannot call sendPage(URI) if the URI is 
> matched by a matcher in an internal-only pipeline.

I totally agree with Ugo!!!!

In fact, I consider the above to be a showstopper for a Cocoon 2.1 Final
release.

I don't know if you noticed by Linotype, for example, has a security
hole exactly because of the above: this means that anybody can write
stuff on my weblog if they can understand how. ;-(

I've been aware of this since day one, but probably we should make a
serious effort to fix this otherwise doing authentication with the flow
is going to be *always* painful.

Anybody has suggestions on where to look to make such a thing possible?

-- 
Stefano.



Mime
View raw message