[Cubicweb] annotating divs with rql and vid

Nicolas Chauvat nicolas.chauvat at logilab.fr
Fri May 25 10:40:40 CEST 2012


On Fri, May 25, 2012 at 10:20:18AM +0200, aurélien campéas wrote:
> > What would you say were the reasons to disable rql input?
> 
> Suppress potentially trivial & huge denial of service attacks.

Ok. Disabling rql input can be a temporary solution or workaround, but
it can not be a design goal. IMHO, CW was designed to get its power
from rql. If we remove rql, what we have is just yet-another-python-web-framework.

> Security is one thing, denial of service is another. They are sometimes
> conflated.
> If we want to expose the full database to anyone, let's do it but not by
> default, and let's think seriously about caching and rate limiting features
> before ....

The goal I am trying to get everyone to agree with is "there is no API
but RQL (and views)".

Of course the implementation has to take care of a lot of other
issues, including read/write security and DoS attacks.

http://stackoverflow.com/questions/131681/apache-rate-limiting-options
and I suppose we could find the same for other web servers we looked
at recently, like mongrel2.

-- 
Nicolas Chauvat

logilab.fr - services en informatique scientifique et gestion de connaissances  



More information about the Cubicweb mailing list