[Cubicweb] annotating divs with rql and vid
sylvain.thenault at logilab.fr
Fri May 25 10:54:34 CEST 2012
On 25 mai 10:40, Nicolas Chauvat wrote:
> On Fri, May 25, 2012 at 10:20:18AM +0200, aurélien campéas wrote:
> > > What would you say were the reasons to disable rql input?
> > Suppress potentially trivial & huge denial of service attacks.
> Ok. Disabling rql input can be a temporary solution or workaround, but
> it can not be a design goal. IMHO, CW was designed to get its power
> from rql. If we remove rql, what we have is just yet-another-python-web-framework.
We're talking about the client side, right? To resume my point:
* I aggree that rql+vid mecanism is what makes cw different, at the start
from the site developper POV
* making it accessible from the ui side gives great power to rqlable users,
and allow quick experimentation / ui functionnalities
* *but* this is not always desired according to the developped web sites,
as some developped in the past and the future for customers
So: I want to keep that feature, but I would like to be able to secure/remove
it while keeping most of the things (default ui) working.
> > Security is one thing, denial of service is another. They are sometimes
> > conflated.
> > If we want to expose the full database to anyone, let's do it but not by
> > default, and let's think seriously about caching and rate limiting features
> > before ....
> The goal I am trying to get everyone to agree with is "there is no API
> but RQL (and views)".
> Of course the implementation has to take care of a lot of other
> issues, including read/write security and DoS attacks.
> and I suppose we could find the same for other web servers we looked
> at recently, like mongrel2.
Let's jump in an say it once for all: currently thanks to rql input a single
HTTP request is enough.
Now is probably the time for one to resume the discussion in something more
constructive (one not being me :p )
Sylvain Thénault, LOGILAB, Paris (01.45.32.03.12) - Toulouse (09.54.03.55.76)
Formations Python, Debian, Méth. Agiles: http://www.logilab.fr/formations
Développement logiciel sur mesure: http://www.logilab.fr/services
CubicWeb, the semantic web framework: http://www.cubicweb.org
More information about the Cubicweb