[Zope-dev] [RFClet]: What about the request method and the client side trojan?

Casey Duncan casey@zope.com
Thu, 11 Apr 2002 10:16:17 -0600 

<dtml-var foo> is not even close to the equivilant of <dtml-var "foo()">

The former uses mapply to comb the namespace for arguments and maps them 
to the callable and then calls it (if it is a callable, that is). IOW 
foo could have any number of arguments. The latter always calls foo with 
no argument.

My point is how do you disinguish <dtml-var foo> meaning "Call foo 
passing everything from the namespace that maps to an arg" from 
<dtml-var foo> meaning "Call foo passing everything, but foo doesn't use 
anything" from <dtml-var foo> "Call foo and foo takes no arguments" from 
<dtml-var foo> "foo is not callable, so return the value of foo".

The most troublesome case is where foo accepts any number of arguments 
(such as a DTML method or ZPT or any other method with **kw), and you 
cannot know whether it changes objects or simply returns some string or 
something. I don't think it is helpful to assume that "because a method 
takes arguments, it is dangerous". I can write destructive methods that 
take no arguments too.

Also, are we talking about only fixing the "action on GET" for the ZMI 
or for all Zope apps? If the answer is "Just the ZMI" then we are 
talking about doing something that has not been done before: Making the 
ZMI different from all other Zope apps. If the answer is "All Zope Apps" 
then I fear you have just broken every Zope app I have ever seen 8^).

If I were to implement this, a very simple approach seems attractive: 
Lock the ZODB on GET requests so that no transactions can be committed. 
However, I'm not sure I want to go there.

-Casey


Toby Dickenson wrote:
> On Thursday 11 April 2002 4:39 pm, Casey Duncan wrote:
> 
>>Toby Dickenson wrote:
>>[snip]
>>
>>
>>>4. Change dtml to not allow <dtml-var someNonIdempotentMethod>, although
>>>it should still allow <dtml-var "someNonIdempotentMethod()">
>>>
>>Ahhh!
>>
>>How do you propose to do that? I see a lot of bruised foreheads
>>resulting from this...
>>
> 
> Really? <dtml-var someNonIdempotentMethod> only works with methods that take 
> zero parameters (excluding self). The question is: how many zero parameter 
> non-idempotent methods are there?
> 
> I have only been able to find one such method in the current Zope cvs, and I 
> get similarly optimistic results in my products. 
> 
> 
> 
>>Likely very common.
>>
> 
> So far I have only been checking with crude greps, so I could be wrong. Any 
> chance you could spend a couple of minutes looking for an example to share?
> 
>