cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sylvain Wallez <>
Subject Re: Views Internal-Only [Re: [RT] XMLForm]
Date Tue, 27 May 2003 09:53:19 GMT
Carsten Ziegeler wrote:

>Stefano Mazzocchi wrote:
>>on 5/26/03 2:26 AM Ugo Cei wrote:
>>>And last but not least, my personal pet peeve: make "views" internal 
>>>only. At the moment, IIUC, you cannot call sendPage(URI) if the URI is 
>>>matched by a matcher in an internal-only pipeline.
>>I totally agree with Ugo!!!!
>>In fact, I consider the above to be a showstopper for a Cocoon 2.1 Final
>>I don't know if you noticed by Linotype, for example, has a security
>>hole exactly because of the above: this means that anybody can write
>>stuff on my weblog if they can understand how. ;-(
>>I've been aware of this since day one, but probably we should make a
>>serious effort to fix this otherwise doing authentication with the flow
>>is going to be *always* painful.
>>Anybody has suggestions on where to look to make such a thing possible?
>I have a little RT (not written down yet) for views which I wanted to
>post for 2.2 :) I thought of a) inheriting views from a parent sitemap
>to a subsitemap and b) to configure if and which views are accessible
>from the "outsite", because there are applications where it makes 
>sense to call a view directly from a client.

Carsten, I think you've been confused by the word "view" : what Stefano 
and Ugo refer to are the sitemap URIs called by the flow, which are the 
views in a MVC model, but have nothing to do with "?cocoon-view=xxx".

Now you're right that we need to be able to restrict access to view from 
the outside.


Sylvain Wallez                                  Anyware Technologies 
{ XML, Java, Cocoon, OpenSource }*{ Training, Consulting, Projects }

View raw message