[Cubicweb] annotating divs with rql and vid

aurélien campéas aurelien.campeas at gmail.com
Fri May 25 09:09:28 CEST 2012


2012/5/25 Sylvain Thénault <sylvain.thenault at logilab.fr>

> On 24 mai 23:27, Adrien Di Mascio wrote:
> > On Thu, May 24, 2012 at 9:39 PM, Sylvain Thénault
> > > Corrolary points:
> > >
> > > * what can't we have by disabling rql input, beside allowing user to
> type
> > >  arbitrary rql?
> >
> > There are quite a few places in CW or cubes where urls with explicit
> > rql and vid parameters are generated. If you disable the rql parameter
> > (which is not that hard), you'll get bitten there.
>
> yes, though IMO most of those could be avoided. And that's precisely the
> work to be done so one can disable rql input: I would want the default ui
> (and core cubes) still working.
>
>
Can't server-cooked rql/vid parameters be made like:

encode(secret, token, **vidargs) -> opaque params to the client
decode(secret, **request_vidargs) -> token, **vidargs

the token being some time-limited string that only the server knows about
and can be compared
to assert the validity of the request elements

Then we can disable rql input but still send arbitrarily complex arguments.

As for the facets, I already forgot how they work exactly but even if they
use rql strings that should be
replaceable with eid or plain attributes elements.

Dunno if this makes sense ...
(the exact topic still eludes me, lack of use cases ?)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cubicweb.org/pipermail/cubicweb/attachments/20120525/d19c4f9f/attachment-0186.html>


More information about the Cubicweb mailing list