[Twisted-web] Nevow Athena LiveFragment without allowedMethods

Paul Reznicek maillists at ivsn.com
Wed Nov 30 22:14:25 MST 2005

Jean-Paul Calderone wrote:
> I'm wary of making it possible to accidentally expose a method to the 
> client.  Without allowMethods, it seems to be a quite simple to 
> accidentally expose things.  For example, with your patch, the following 
> methods can be invoked by the client on any LiveFragment:
>  get
>  rend
>  postForm
> With the above list of methods in mind, does it make more sense why 
> allowedMethods is present?

Dear Jean-Paul,

You're right, it could be dangerous, but I'm soooo lazy for typing too much!

Attached is a revisited patch, that fulfill the security and make the allowedMethods
at the same time unnecessary - this version allow only usage of NEW methods
in the subclass, no superclass methods or overriding of them are accepted, try it...
Could it be a way?

-------------- next part --------------
Index: athena.py 
--- athena.py	(Revision 3368) 
+++ athena.py	(Arbeitskopie) 
@@ -407,21 +407,19 @@ 
             <form onsubmit="Nevow.Athena.refByDOM(this).callRemote('foo', bar); return false;"> 
-    By default, only methods named in the C{allowedMethods} mapping 
-    may be invoked by the client. 
-    allowedMethods = {} 
     def rend(self, context, data): 
         myID = self.page.addLocalObject(self) 
         context.fillSlots('nevow:athena_id', myID) 
         return super(LiveFragment, self).rend(context, data) 
     def locateMethod(self, ctx, methodName): 
-        if methodName in self.allowedMethods: 
-            return getattr(self, methodName) 
-        raise AttributeError(methodName) 
+        if not hasattr(super(LiveFragment, self), methodName): 
+            method = getattr(self, methodName, None) 
+            if method: 
+                return method 
+        raise AttributeError, 'Method "%s" not allowed' % methodName 
 # Helper for docFactories defined with stan: 

More information about the Twisted-web mailing list