[Twisted-web] Nevow Athena LiveFragment without allowedMethods
exarkun at divmod.com
Wed Nov 30 17:13:14 MST 2005
On Wed, 30 Nov 2005 22:44:03 +0100, Paul Reznicek <maillists at ivsn.com> wrote:
>Hi JP & co.,
>I've just started playing with current ATHENA - very nice !!!
Hi Paul, thanks :)
>Is there any deeper security reason to use the "allowedMethods" mapping
>to the simple fact, that a fragment implements a method only if it is
I'm wary of making it possible to accidentally expose a method to the client. Without allowMethods, it seems to be a quite simple to accidentally expose things. For example, with your patch, the following methods can be invoked by the client on any LiveFragment:
In that list, only postForm looks particularly scary, and many of these take objects which cannot currently be passed to methods by the client (ie, the context), but it is still quite a long list, and making it possible for the client to call these methods seems unnecessarily risky to me.
If it seems okay to you, you can always create a LiveFragment subclass in your project with the locateMethod implementation included in your patch and always subclass that instead of LiveFragment.
With the above list of methods in mind, does it make more sense why allowedMethods is present?
More information about the Twisted-web