Hey Jochem, Really appreciate your thoughts on this...
Suppose you do want all of your students to be able to experiment with CFML. You want them to learn about SQL perhaps within the confines of QoQ. But you know they come and go every year and aren't around long enough to learn advanced best practices. SO you do things like enforce strict tag attributes and have CFAdmin check all locks. But they're not really ready to write complex stored procedures and outer joins with nested selects or something. So, you package these in custom tags and disable their CFQUERY to prevent them from even trying it. CFML is so wonderful because it is so easy to pick up. But it is powerful and as the language evolves, it might be helpful to make the security framework even more flexible to allow a campus ISP to perhaps host "tiered" contribution groups. ("If you hang my server, you get bumped down to the novice group where you can only call custom tags...") Am trying to think of better examples. Again, thanks. -----Original Message----- From: Jochem van Dieten [mailto:[EMAIL PROTECTED] Sent: Monday, August 04, 2003 4:37 AM To: CF-Talk Subject: Re: An ISP's Dream: Extensions in one sandbox, client code in another Blum, Jason (SAA) wrote: > > Yes, the CFEXECUTE was a bad example. Suppose instead you hosted all a > University's various colleges' websites on one server. Make that fraternities and student societies and I do :-) > None of them had > particularly good developers and instead of teaching them all SQL and > relational database theory You would be surprised how little CS students know about databases. I much prefer EE students as webmaster :-) > you just gave them backend logins to a CMS > which you then queried on the front end. You even packaged that query > in a custom tag or component. It's all working so well that you now > want to discourage new grad students from even trying their own sql > queries in their code, but instead to tie only into your custom tag. And this is the part that would not work (at least for us). The thing is that they all have different needs and they all want to integrate with different backend systems. The rowing society wants to tie his user db into a reservation system for the boats. Fraternities want to tie it into a database for bookkeeping the beer. Student houses want to tie it into a system to keep track of who will attend dinner. And they are students, so they want to do it the hard way no matter how easy you make it. > How do you keep the calling templates' sandbox restrictions from > extending to their use of your custom tag? You don't. Not in the way CF works (but I think it is a Java thing so you might have more luck with C customtags). But in your scenario, why not just install PHPNuke for them and give them the admin password of that? If you don't want them to write code, why not go the whole way and write a content management system and let them use that, don't even give them FTP access to a server. Jochem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4