[Zope3-dev] Re: Zope 3 web root

Alexander Limi limi at plone.org
Thu Feb 16 12:16:21 EST 2006 

On Thu, 16 Feb 2006 07:27:30 -0800, Tres Seaver <tseaver at palladion.com>  
wrote:

> I have a real client application where the templates themselves *are*
> the content being managed:  they are *not* software.  They *must* be
> stored in the ZODB.  You could think of these things as "active content
> components," or somthing, and they are not logically the same thing as
> "stock" templates used for software, but they do include ZPT.

But shouldn't this be an dedicated, custom content type with a transform  
or something to handle that particular use case?

I'm agreeing violently with most of the other people here that see no use  
for scripting things through the ZODB. Both developer usability-wise ("you  
can access some modules but not others") and security-wise, it is a  
nightmare. Pretty much all the security holes ever found in Zope through  
the years have only worked when you allow untrusted users to author DTML  
or Python Scripts residing in the ZODB.

Additionally, working as a developer coach for people new to Zope,  
explaining people the rationale behind TTW scripting becomes an exercise  
in futility ("but why can't I use the set functions in a Python Script?").

If Zope 3 only allowed code on the FS by default, the world would be a  
better place. The only thing it has going for it is TTW customization on  
hosting setups that don't allow their customers SSH access, but Zope isn't  
hostable in the "$5/month PHP hosting" way anyway. You pretty much need a  
dedicated server or at the very least a jail to do anything useful with  
Zope.

Keep it simple, and remember: "there should be one -- and preferably only  
one -- obvious way to do it".

-- 
_____________________________________________________________________

      Alexander Limi · Chief Architect · Plone Solutions · Norway

  Consulting · Training · Development · http://www.plonesolutions.com
_____________________________________________________________________

       Plone Co-Founder · http://plone.org · Connecting Content
   Plone Foundation · http://plone.org/foundation · Protecting Plone

More information about the Zope3-dev mailing list