[Cubicweb] annotating divs with rql and vid

Sylvain Thénault sylvain.thenault at logilab.fr
Fri May 25 10:01:12 CEST 2012


On 25 mai 09:09, aurélien campéas wrote:
> Can't server-cooked rql/vid parameters be made like:
> 
> encode(secret, token, **vidargs) -> opaque params to the client
> decode(secret, **request_vidargs) -> token, **vidargs
> 
> the token being some time-limited string that only the server knows about
> and can be compared
> to assert the validity of the request elements
> 
> Then we can disable rql input but still send arbitrarily complex arguments.

yes, this could probably be a nice solution, disabling arbitrary rql input
simply meaning encode rql with a secret key. Though it's still doesn't match
the future web as seen by Nicolas, since that would need the secret key to
be known on the client side, which breaks the whole thing.

-- 
Sylvain Thénault, LOGILAB, Paris (01.45.32.03.12) - Toulouse (09.54.03.55.76)
Formations Python, Debian, Méth. Agiles: http://www.logilab.fr/formations
Développement logiciel sur mesure:       http://www.logilab.fr/services
CubicWeb, the semantic web framework:    http://www.cubicweb.org



More information about the Cubicweb mailing list