dynamic wiki content
Simon Michael
simon at joyful.com
Wed Nov 17 21:54:10 UTC 2004
>One cannot do anything with DTML that is not already exposed as an
>externally available method from the python code. (e.g. one could
>simply use HTTP GET to run that python method anyway)
>
>
That's true; you can visit the appropriate delete method directly and
delete some objects if you have permission.
If you don't have permission, DTML in pages makes it a little easier to
get someone else to do it inadvertently.
Ie a DTML call can be left lurking in a page to be triggered next time a
logged-in manager views that page. Though we would disallow this as
described.
FWIW members do have permission to delete any page in the wiki via url
right now. In practice those of us who are subscribed (at least) would
notice any unusual deletes, we would undo the actions and investigate.
There is a trade off between "security" and usability. At some point you
are better off relying on backups and appropriate corrective action when
needed.
Feel free to move this thread to eg zwiki at zwiki.org if we are getting
off-topic.
More information about the ubuntu-doc
mailing list