|
Gregory (Grisha) Trubetskoy
grisha at modpython.org
Wed Jan 31 23:29:44 EST 2001
I have in CVS some fixes that do not allow the publisher handler to traverse modules. Right now if your script imports os, then one can get to os and functions within it via a url, which is really bad. (ZPublisher doesn't traverse modules either.) Assuming that module traversing issue is fixed - you make a function "published" by simply having it in the module. If you do not want it to be published, you can set it's name to begin with an underscore or place it into another module. I did this because the ZPublisher comment thing always annoyed me. It's really misleading - I like to use comments for what they are - comments, and if a function doesn't need a comment, I prefer to have the option of having no comment rather than """ this comment is for ZPublisher """ or something silly like that. Grisha On Thu, 1 Feb 2001, Brett Haydon wrote: > Evidently Zope currently uses the doc string to > explicity allow access to functions via URL. > > The new Python 2.1 will allow functions to have > attributes. > > I am currently renaming all imported modules with > an underscore to avoid unintentional security problems > (and global objects) > but I like the idea of explicitly allowing access. > > Any plans to move in this direction. > > regards, > ______________________________________________ > Brett Haydon > > _______________________________________________ > Mod_python mailing list > Mod_python at modpython.org > http://www.modpython.org/mailman/listinfo/mod_python >
|