[Cubicweb] annotating divs with rql and vid

Sylvain Thénault sylvain.thenault at logilab.fr
Fri May 25 10:54:34 CEST 2012


On 25 mai 10:40, Nicolas Chauvat wrote:
> On Fri, May 25, 2012 at 10:20:18AM +0200, aurélien campéas wrote:
> > > What would you say were the reasons to disable rql input?
> > 
> > Suppress potentially trivial & huge denial of service attacks.
> 
> Ok. Disabling rql input can be a temporary solution or workaround, but
> it can not be a design goal. IMHO, CW was designed to get its power
> from rql. If we remove rql, what we have is just yet-another-python-web-framework.

We're talking about the client side, right? To resume my point:

* I aggree that rql+vid mecanism is what makes cw different, at the start
  from the site developper POV

* making it accessible from the ui side gives great power to rqlable users,
  and allow quick experimentation / ui functionnalities

* *but* this is not always desired according to the developped web sites,
  as some developped in the past and the future for customers

So: I want to keep that feature, but I would like to be able to secure/remove
it while keeping most of the things (default ui) working.

> > Security is one thing, denial of service is another. They are sometimes
> > conflated.
> > If we want to expose the full database to anyone, let's do it but not by
> > default, and let's think seriously about caching and rate limiting features
> > before ....
> 
> The goal I am trying to get everyone to agree with is "there is no API
> but RQL (and views)".
> 
> Of course the implementation has to take care of a lot of other
> issues, including read/write security and DoS attacks.
> 
> http://stackoverflow.com/questions/131681/apache-rate-limiting-options
> and I suppose we could find the same for other web servers we looked
> at recently, like mongrel2.

Let's jump in an say it once for all: currently thanks to rql input a single 
HTTP request is enough.


Now is probably the time for one to resume the discussion in something more
constructive (one not being me :p )

-- 
Sylvain Thénault, LOGILAB, Paris (01.45.32.03.12) - Toulouse (09.54.03.55.76)
Formations Python, Debian, Méth. Agiles: http://www.logilab.fr/formations
Développement logiciel sur mesure:       http://www.logilab.fr/services
CubicWeb, the semantic web framework:    http://www.cubicweb.org


More information about the Cubicweb mailing list