[Grok-dev] HTTP PUT and HTTP DELETE security support
faassen at startifact.com
Mon May 14 17:23:05 EDT 2007
Hi grokkers, especially Philipp and Christian,
I just tried to issue a HTTP PUT request to a Grok view, but traversal
totally failed even before it reached the view, because .get was a
forbidden attribute on a container. Looks like our security stripping
wasn't complete enough.
I've hack-fixed this by amending Grok's configure.zcml to have this:
methods="GET POST HEAD PUT DELETE"
Previously 'PUT' and 'DELETE' were missing.
Of course this has a reason - they aren't there in the Zope 3 publisher
registration either. Why not? I'm not sure. There's some PUT support
elsewhere in zope.app.http, but what that does exactly I'm not sure
about. Anyhow, I'd like Zope 3's security get out of my way, but we need
to understand what's going on with PUT in Zope 3 a bit more before I'll
feel secure in committing this change.
My use case is that I want PUT (and DELETE) to be handled by views. When
the 'index' view receives a PUT request it detects this in the update
method and does stuff with the PUTTED data.
Right now I have to hack to get to the actual data that's being PUT:
data = self.request.bodyStream.getCacheStream().getvalue()
This because I don't want the normal GET/POST argument parser to try to
turn the PUT body into a dictionary. but want whatever was submitted.
If this use case is considered to be common, we could consider adding
special functionality for this to Grok's views, perhaps a special
raw_update method that receives the putted input stream as an argument
(that would be called for at least POST and PUT, but perhaps we can make
it work for GET as well).
Anyone have any insights about how this works in Zope 3 and how Grok
should be handling this?
More information about the Grok-dev