Hi Christian > Betreff: [Zope3-dev] Re: skin support for xmlrpc > > On 2007-09-14 18:54:01 +0200, "Fred Drake" <[EMAIL PROTECTED]> said: > > > On 9/14/07, Roger Ineichen <[EMAIL PROTECTED]> wrote: > >> If you register views for a base request type, you > probably will open > >> a backdor in other projects. Because > > > > I'm not advocating registering views for the base request types > > generally, but only the way to specify in the URL what the request > > type is. Because sometimes we really do want completely > separate sets > > of XML-RPC (or whatever) interfaces. > > Ok, then I suggest: > > * Provide an IRequestType interface in zope.publisher > * Provide an ++api++ traverser in zope.traversing which does > `getUtility(IRequestType, *name*)`. > * define class IBrowserSkinType(IRequestType) > * Leave ++skin++ for IBrowserSkinType or just make it the > same as ++api++ > * Keep layer="" on <xmlrpc:view>, <browser:page> etc. > > Comments?
If I understand the concept correct. This is a builtin backdoor. Doesn't this allow to bypass the Apache rewrite rule? With: http://www.foobar.com/++api++xmlrpc/doSomething If the rewrite rule in Apache is: RewriteRule (/?.*) http://localhost:8080/++skin++OnlyHere/++vh++https:www.foobar.com:443/++$1 [P,L] Or does the ++api++ namespace recognize the skin? Which means the url rewritten url is. With: http://www.foobar.com/++skin++OnlyHere/++api++xmlrpc/doSomething But then, do we need to regsiter the ++api++ for each layer? I guess this is not what you are asking for. right? My main issue on this thread is allways the same: Skins are a security layer. And don't bypass them, then this let us use views which we don't like to provide in a layer/skin. I really don't understand this thread. Does nobody take care on default traversal APIs? I'm really confused now. Probably I don't see soemthing or understand it not correctly. Do you understand what I mean this this backdoor use case? Or I'm totaly wrong? Regards Roger Ineichen > -- > Christian Zagrodnick > > gocept gmbh & co. kg . forsterstrasse 29 . 06112 > halle/saale www.gocept.com . fon. +49 345 12298894 . fax. +49 > 345 12298891 > > > > _______________________________________________ > Zope3-dev mailing list > Zope3-dev@zope.org > Unsub: > http://mail.zope.org/mailman/options/zope3-dev/dev%40projekt01.ch > > _______________________________________________ Zope3-dev mailing list Zope3-dev@zope.org Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com