[Zope3-dev] Re: AW: Re: skin support for xmlrpc
Christian Zagrodnick
cz at gocept.com
Wed Sep 26 11:06:10 EDT 2007
On 2007-09-15 17:35:20 +0200, "Roger Ineichen" <dev at projekt01.ch> said:
> Hi Christian
>
>> Betreff: [Zope3-dev] Re: skin support for xmlrpc
>>
>> On 2007-09-14 18:54:01 +0200, "Fred Drake" <fdrake at gmail.com> said:
>>
>>> On 9/14/07, Roger Ineichen <dev at projekt01.ch> wrote:
>>>> If you register views for a base request type, you
>> probably will open
>>>> a backdor in other projects. Because
>>>
>>> I'm not advocating registering views for the base request types
>>> generally, but only the way to specify in the URL what the request
>>> type is. Because sometimes we really do want completely
>> separate sets
>>> of XML-RPC (or whatever) interfaces.
>>
>> Ok, then I suggest:
>>
>> * Provide an IRequestType interface in zope.publisher
>> * Provide an ++api++ traverser in zope.traversing which does
>> `getUtility(IRequestType, *name*)`.
>> * define class IBrowserSkinType(IRequestType)
>> * Leave ++skin++ for IBrowserSkinType or just make it the
>> same as ++api++
>> * Keep layer="" on <xmlrpc:view>, <browser:page> etc.
>>
>> Comments?
>
>
> If I understand the concept correct. This is a builtin backdoor.
>
> Doesn't this allow to bypass the Apache rewrite rule?
> With: http://www.foobar.com/++api++xmlrpc/doSomething
>
> If the rewrite rule in Apache is:
> RewriteRule (/?.*)
> http://localhost:8080/++skin++OnlyHere/++vh++https:www.foobar.com:443/++$1
> [P,L]
>
>
> Or does the ++api++ namespace recognize the skin?
> Which means the url rewritten url is.
> With: http://www.foobar.com/++skin++OnlyHere/++api++xmlrpc/doSomething
A way to avoid this is to allow applying a skin / request type only once.
More information about the Zope3-dev
mailing list