so what are the scenarios we are talking about?
wanting to uprotect
1. a single resource (+1)
2. all resources .xxx on path y (+1)
3. all resources .xxx on paths w , z , y (-1) (should be
4. all resources .xxx on all paths (-1)
5. all resources on path y (-0)
6. all resources on paths x, y, z (-0)
7. all resources on all pathes (-1)
I think these are all the options, or maybe I forgot some?
now if you use two conf. points, you can not really be that specific
about what you want.
you can not unprotect js from directory x and html from directory y.
That means, if you want a direct access to an html file inthe cp, you
will expose also html (templates) which reside in directory in which you
wish to expose js files. no good.
I would rather vote for the one before:
<unprotect path="/org/tacos/ajax/*" fn="*.js"/>
and make the wildcard very strict:
in directory : /org/tacos/ (only this directory) or /org/tacos/* (all
subdirs).
in fn : *.ext or dojo.js
nothing in between, so dojo* is not acceptable.
then wait for the usecases to come up in jira :)
Cheers,
Ron
Jesse Kuhnert wrote:
That is precisely what I'm trying to avoid, having to explicitly list each
and every unprotected asset. For something like dojo this just isn't a
reasonable way of doing it.
Ideally I'd like to see a solution that disallows mucking around with paths
to get access to things, and also has inuitive defaults. Like making
.css/.js/.html files unprotected by default. I'm always a fan of more
comlicated logic within the framework that allows the user to do as little
as possible to get up and running.
In that vein, maybe an easier solution would be 2 configuration points:
<configuration GloballySafeAssets>
<asset extension="css" />
<asset extension="js" />
<asset extension="html" />
<asset extension="htm" />
</configuration>
<configuration UnprotectedAssets>
<unprotected-assets path="/net/sf/tacos/ajax" />
</configuration>
This configuration would allow security logic to ensure proper paths AND
provide sensible defaults for unprotected resources, when people choose to
enable them.
Thoughts?
jesse
/net/sf/tacos/ajax/dojo/dojo.js
/net/sf/tacos/ajax/dojo/src/bootstrap.js
/net/sf/tacos/ajax/dojo/src/etc....
You can define an asset for every one of those, and unprotect it.
The fact that you are not directly using the assets does not concern
tapestry...
as before - i am much more in favour of the asset way, more simple
control... (more ->, simple, control).
To get around the only major haxor flaw that I can see, which is using
../../ to move around the paths we could go with something more like:
<configuration foo..>
<unprotected-resource path="/net/sf/tacos/ajax/components/"
contains=".*.js"
/>
</configuration>
breaking it to a path and filename wildcard sounds good.
you will however check it after you have accessed the resource.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
