[Zope-dev] ZSQL methods lookup vars in REQUEST only (why?)

[Toby Dickenson]

>>> Anyway, I propose that ZSQLMethods change and do variable lookups in =
the
>>> entire namespace, not just the REQUEST object.  It seems to be a =
simple
>>> enough change (at least it looks it) and I can submit the patches, =
but
>>> the harder thing is to get people to agree that it is a change for =
the
>>> better.

>Paul Zwarts wrote:
>
>> Just to play devil's advocate; It seems this way, that methods pulling
>> non-specifically from namespace could allow ways to modify the result =
if
>> someone paid close attention to whats going on...

Exactly right.

Even the guys at Zope.com dont pay close enough attention...
Historically this has been the source of several security holes.

Tim wrote:

>I agree.  However, this is true of all DTML.

That is true, and is the reason why dtml is inappropriate for any use
except trivial document templating. In other uses it is either buggy
(for the reason Paul mentioned) or very very ugly (because the author
knows about the potential bugs, and in dtml it is cumbersome to work
round them).

It is a pity that the current zope-newbie documentation presents dtml
as more than it is; as an essential part of "the zope way".=20

Anyway, there are plenty of alternatives to those non-trivial uses of
dtml; Python Scripts, python products, CMF skins, etc. None of them
are quite as slick, but at least they work.

I dont know of a good alternative to SQLMethods, so I would prefer
that they not be 'broken' in order to maintain consistency with a
feature that many people recommend you should avoid.


Tim also wrote:

>The only argument that I have heard against it is that variables will be
>found mysteriously through the stack and that this is harder to
>understand.  However, that just makes it inconsistent with all other
>DTML and therefore mysterious in its own way.

You are right that the mechanism for calling SQLMethods from DTML is
different to calling DTML from DTML, but the odd one out is DTML
calling DTML!

DTML calling a SQLMethod current behaves the same as DTML calling
PythonScript, pure python functions, extension class functions,  or an
external method.


Toby Dickenson
tdickenson@geminidataloggers.com