dynamic wiki content

Simon Michael simon at joyful.com
Wed Nov 17 21:54:10 UTC 2004


>One cannot do anything with DTML that is not already exposed as an
>externally available method from the python code.  (e.g. one could
>simply use HTTP GET to run that python method anyway)
>  
>
That's true; you can visit the appropriate delete method directly and 
delete some objects if you have permission.

If you don't have permission, DTML in pages makes it a little easier to 
get someone else to do it inadvertently.
Ie a DTML call can be left lurking in a page to be triggered next time a 
logged-in manager views that page. Though we would disallow this as 
described.

FWIW members do have permission to delete any page in the wiki via url 
right now. In practice those of us who are subscribed (at least) would 
notice any unusual deletes, we would undo the actions and investigate. 
There is a trade off between "security" and usability. At some point you 
are better off relying on backups and appropriate corrective action when 
needed.

Feel free to move this thread to eg zwiki at zwiki.org if we are getting 
off-topic.




More information about the ubuntu-doc mailing list