limiting controller methods

3 views
Skip to first unread message

Kevin Turner

unread,
May 27, 2009, 1:10:25 AM5/27/09
to glashammer
Hi, I'm looking for something to help organize my URL mapping, and
having used some object-publishing frameworks in the past,
Glashammer's controllers look familiar. But the fact that there's a
getattr done on unqualified user input troubles me; what if someone
starts requesting foo/__class__?

I don't see a way for a controller to change which of its methods are
exposed, but one way to do it would be to have a prefix on those
methods. For example::

class Controller(object):
def view_grow(self, request)
# accissible as foo/grow:
self.resize(1)

def view_shrink(self, request):
# accessible as foo/shrink
self.resize(-1)

def resize(self, delta):
# not a view method that's directly callable

I've implemented this at http://bitbucket.org/keturn/glashammer-limiting-controllers/
with one more detail: to maintain backward compatibility, it only
looks for a prefix on the methods when the attribute "target_prefix"
is defined. In this case, that'd be Controller.target_prefix =
'view_'

I'm brand new to werkzeug, so if there's a better way to go about
this, I'm all ears.

Ali Afshar

unread,
May 27, 2009, 5:06:39 AM5/27/09
to glash...@googlegroups.com
Hi Kevin,

Kevin Turner wrote:
> Hi, I'm looking for something to help organize my URL mapping, and
> having used some object-publishing frameworks in the past,
> Glashammer's controllers look familiar. But the fact that there's a
> getattr done on unqualified user input troubles me; what if someone
> starts requesting foo/__class__?
>

Since I don't ever use "controllers" as such, I only implemented them
for someone else to use, and that's why they are underdeveloped, as you
rightly say.

> I don't see a way for a controller to change which of its methods are
> exposed, but one way to do it would be to have a prefix on those
> methods. For example::
>
> class Controller(object):
> def view_grow(self, request)
> # accissible as foo/grow:
> self.resize(1)
>
> def view_shrink(self, request):
> # accessible as foo/shrink
> self.resize(-1)
>
> def resize(self, delta):
> # not a view method that's directly callable
>

Another way might be to have a views = ['shrink', 'grow'] class
attribute, for example.


> I've implemented this at http://bitbucket.org/keturn/glashammer-limiting-controllers/
> with one more detail: to maintain backward compatibility, it only
> looks for a prefix on the methods when the attribute "target_prefix"
> is defined. In this case, that'd be Controller.target_prefix =
> 'view_'
>

I think this is a very reasonable way of doing it, and will review your
branch. Thanks for the hard work.

> I'm brand new to werkzeug, so if there's a better way to go about
> this, I'm all ears.
>

One of the nice things about Werkzeug is that it doesn't force you into
a way of doing things, so whatever you do will be "correct".

Ali

Ali Afshar

unread,
May 28, 2009, 9:03:19 AM5/28/09
to glash...@googlegroups.com
Hi Kevin, Patch and tests look good. Thanks once again. I have merged
your changes to trunk. Please also provide a changeset with your name
and contact details added to the AUTHORS.txt file.

Ali
Reply all
Reply to author
Forward
0 new messages