Michiel Meeuwissen <[EMAIL PROTECTED]> wrote: > I've created an 'Attachment servlet' in the spirit of the Image Servlet. [snip] > > I think I still need to adapt Attachments.java to make this 'url-pattern' > really configurable (I thinkt the gui-s are broken now).
It can be made working now. 'AttachmentServlet' and 'ImageServlet' are now very similar things, and the 'associated' builders (attachments, images) extend the same base class (AbstractServletBuilder), which provides a function 'servletpath' which can be used to obtain the right path to the servlet (in wizard.xsl and ImageTag you can see how this is used). If you not use these new servlet this function will simply return img.db and attachment.db and so on. Because the servlets are based on the bridge, something had to be made up to inform them about security if this is needed (otherwise it would e.g. be immpossible to view images that are not visible for anonymous). Therefore these servlet can accept an 'session=' argumetn which gives the _name of the variable in the session which contains a Cloud ojbect_'. E.g. CloudTag writes the Cloud to the session (see 'sessionName' attribute). So if you don't use taglib, you have to write the cloud to the session yourself if you want to view 'secured' images/attachments. The 'servletpath' function accepts this session-variable name as an argument. It would also be needed for the 'gui()' function (much used in editors). I first tried to add some function which could modify the behaviour of gui() to create the right url to the servlets if 'logged in' but this was very unpracticle. Especially because I wanted to be absolutely sure not to change the behaviour of the original 'gui()' functions (e.g. not want to add new string-parsing because that could compromise performance). So, finally I decided to add a 'sgui' function which does the job (and which is gui() for anything which is not a 'servlet builder'). I did all this more or less as part of the 'cleaning project', because it seemed clear to me, that security should not have such a 'hole' (that images and attachment lacking read rights, can still simply be viewed by the servlets). In short, the 'servletpath()' and 'sgui()' are new, and under evaluation. Precise syntax can still change, especially if somebody will come up with a good idea... Michiel -- Michiel Meeuwissen Mediapark, C 107 tel. +31 (0)35 6772979
