Forum OpenACS Development: ETP Subnavbar Application commited

Posted by Malte Sussdorff on 01/30/04 02:21 PM

I made some minor changes to ETP. First of all I created a Subnav Application (along with files), that fits in nicely with Lars' group-master.adp (/admin/configure, template community).

Furthermore I added the support for <include> tags to it, so you are able e.g. to include a random photo (for details see http://www.thecodemill.biz/publications/blog/archive/2004/01/#blog-entry-9879).

Last but not least, I created etp-custom-init.tcl, which should be the place to store your custom ETP applications, so you won't clutter etp-init.tcl.

2: Re: ETP Subnavbar Application commited (response to 1)

Posted by Caroline Meeks on 01/30/04 02:54 PM

Sounds great Malte,

Is this on ETP in HEAD or in contrib?

Do you have an example of the subnavbar in action?

thanks
Caroline

3: Re: ETP Subnavbar Application commited (response to 2)

Posted by Malte Sussdorff on 01/30/04 03:19 PM

It is in HEAD and in oacs-5-0.

See http://www.sussdorff.de/about/ as an example for the support of subnavbar and random-photo.

Sadly the page takes around 2secs to load as the db query for random-photo seems to be untuned.

4: Re: ETP Subnavbar Application commited (response to 1)

Posted by Jade Rubick on 01/30/04 07:09 PM

Can the support for <include> tags be optional?

The reason I say this is because there are some serious security implications of allowing people to execute template code. If you have access to the template level, that's quite a security risk. <% rm /tmp/* %> is a rather benign example..

It would be pretty easy to make this optional, and include a disclaimer that if you enable templating support, that you're compromising in security.

Granted, anyone with HTML access can hack your system too. But it's just so much easier with templating level access.

At least that's my understanding of it. Perhaps I'm wrong?

Admin level access would let you change the parameters, but create, write, and read levels would not, right?

5: Re: ETP Subnavbar Application commited (response to 1)

Posted by Randy O'Meara on 01/31/04 12:02 AM

Bart indicated in his blog entry (link in first message in this thread) that he tuned random photo query performance so that it is now acceptable. And his blog does indeed load photos quickly. Maybe Bart would commit or provide those changes for inclusion in the toolkit?

Very cool, Malte. Also Bart...

6: Re: ETP Subnavbar Application commited (response to 4)

Posted by Malte Sussdorff on 01/31/04 07:21 AM

I totally agree with you. Working include tags are a big risk. This is why I only put the switch into the subnav application and nowhere else. But having a parameter to turn it on / off would be a good thing as well, agreed.

7: Re: ETP Subnavbar Application commited (response to 6)

Posted by Jade Rubick on 02/02/04 07:37 PM

Can someone commit to fixing this? This is a security hole, and even though I'm very happy about the new functionality, I think this is a security problem big enough that I would call it a blocking security bug. I wouldn't choose to deploy this on my own site, unless I have the option of turning it off (and by default it should be off I think)

8: Re: ETP Subnavbar Application commited (response to 7)

Posted by Malte Sussdorff on 02/03/04 12:23 AM

Shall the parameter be Application, ETP or subsite-wide? If you say application specific, then I will upload a new subnavbar without <include> functionality. If you say ETP wide, I would ammend all the current ETP applications to make use of that parameter. And last but not least, if we make it subsite-wide, I would be looking into adding this to the weblogger (if it could be done easily). Someone else might then go off and add it either to the richtext widget or create a new widget type or manually edit this in each package.

9: Re: ETP Subnavbar Application commited (response to 1)

Posted by Jade Rubick on 02/04/04 06:37 PM

Perhaps subsite wide?