cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Carsten Ziegeler" <>
Subject RE: Views Internal-Only [Re: [RT] XMLForm]
Date Tue, 27 May 2003 07:39:36 GMT
Stefano Mazzocchi wrote:
> on 5/26/03 2:26 AM Ugo Cei wrote:
> > And last but not least, my personal pet peeve: make "views" internal 
> > only. At the moment, IIUC, you cannot call sendPage(URI) if the URI is 
> > matched by a matcher in an internal-only pipeline.
> I totally agree with Ugo!!!!
> In fact, I consider the above to be a showstopper for a Cocoon 2.1 Final
> release.
> I don't know if you noticed by Linotype, for example, has a security
> hole exactly because of the above: this means that anybody can write
> stuff on my weblog if they can understand how. ;-(
> I've been aware of this since day one, but probably we should make a
> serious effort to fix this otherwise doing authentication with the flow
> is going to be *always* painful.
> Anybody has suggestions on where to look to make such a thing possible?
I have a little RT (not written down yet) for views which I wanted to
post for 2.2 :) I thought of a) inheriting views from a parent sitemap
to a subsitemap and b) to configure if and which views are accessible
from the "outsite", because there are applications where it makes 
sense to call a view directly from a client.

Anyway, making a view accessible only from internal pipelines should
be easy: the environment is asked for the view (getView()) and with
a simple hack :) this method can only return the view when it is
an internal one. I think for 2.1 this should be sufficient.

For 2.2 we can improve it then.


View raw message