[Cubicweb] annotating divs with rql and vid
nicolas.chauvat at logilab.fr
Fri May 25 10:40:40 CEST 2012
On Fri, May 25, 2012 at 10:20:18AM +0200, aurélien campéas wrote:
> > What would you say were the reasons to disable rql input?
> Suppress potentially trivial & huge denial of service attacks.
Ok. Disabling rql input can be a temporary solution or workaround, but
it can not be a design goal. IMHO, CW was designed to get its power
from rql. If we remove rql, what we have is just yet-another-python-web-framework.
> Security is one thing, denial of service is another. They are sometimes
> If we want to expose the full database to anyone, let's do it but not by
> default, and let's think seriously about caching and rate limiting features
> before ....
The goal I am trying to get everyone to agree with is "there is no API
but RQL (and views)".
Of course the implementation has to take care of a lot of other
issues, including read/write security and DoS attacks.
and I suppose we could find the same for other web servers we looked
at recently, like mongrel2.
logilab.fr - services en informatique scientifique et gestion de connaissances
More information about the Cubicweb