[Twisted-web] Nevow Athena LiveFragment without allowedMethods
Paul Reznicek
maillists at ivsn.com
Wed Nov 30 22:14:25 MST 2005
Jean-Paul Calderone wrote:
> I'm wary of making it possible to accidentally expose a method to the
> client. Without allowMethods, it seems to be a quite simple to
> accidentally expose things. For example, with your patch, the following
> methods can be invoked by the client on any LiveFragment:
>
> get
> rend
...
> postForm
>
...
> With the above list of methods in mind, does it make more sense why
> allowedMethods is present?
Dear Jean-Paul,
You're right, it could be dangerous, but I'm soooo lazy for typing too much!
Attached is a revisited patch, that fulfill the security and make the allowedMethods
at the same time unnecessary - this version allow only usage of NEW methods
in the subclass, no superclass methods or overriding of them are accepted, try it...
Could it be a way?
Paul
-------------- next part --------------
Index: athena.py
===================================================================
--- athena.py (Revision 3368)
+++ athena.py (Arbeitskopie)
@@ -407,21 +407,19 @@
<form onsubmit="Nevow.Athena.refByDOM(this).callRemote('foo', bar); return false;">
- By default, only methods named in the C{allowedMethods} mapping
- may be invoked by the client.
"""
- allowedMethods = {}
-
def rend(self, context, data):
myID = self.page.addLocalObject(self)
context.fillSlots('nevow:athena_id', myID)
return super(LiveFragment, self).rend(context, data)
def locateMethod(self, ctx, methodName):
- if methodName in self.allowedMethods:
- return getattr(self, methodName)
- raise AttributeError(methodName)
+ if not hasattr(super(LiveFragment, self), methodName):
+ method = getattr(self, methodName, None)
+ if method:
+ return method
+ raise AttributeError, 'Method "%s" not allowed' % methodName
# Helper for docFactories defined with stan:
More information about the Twisted-web
mailing list