3 Some Notes on the implementation ...
5 OFSWebMethod / SoTemplateRenderer
6 =================================
8 should a GET on OFSWebMethod
9 a) return the method and let a renderer instantiate the component
11 b) should a GET return the component
13 a) has the advantage that the renderer has more control and more
14 information about the thing being rendered
15 new: and: OFSWebMethod objects can be returned as method results !
16 b) has the advantage that the OFSWebMethod more directly corresponds
17 to a WOComponent and can be flexible about performing actions
19 The template-renderer doesn't need to have OFSWebMethod directly but
20 can rather use the clientObject in the context and it's hierarchy to
23 => for now we should return the component, maybe reconsider later
26 Acquision: lookupName vs traverseKey
27 ====================================
29 The question is: should -lookupName do acquisition if the flag is set,
30 or is the acquisition flag just a "hint" that acquisition is in progress ?
31 If it *does* acquisition, should it consider the traversal-stack in the
32 context ? What about 'binding' the result ? Currently the result is
33 bound to the position where it was located and not to the object the
34 lookup was performed on.
36 Currently the major difference in traverseKey is, that traverseKey
37 maintains the objectTraversalStack in the given context. This implies,
38 that for "sub-traversals" a new context should be created.
40 So for now -lookupName: acquires in the containment hierarchy if the
41 aquisition flag is turned on and traverseKey acquires along the context
44 Hm. This lookup issue needs to be cleared up and written down.
47 Acquisition of "relative" Resources
48 ===================================
50 Consider you have a page called "Test" which acquires and embeds
51 a component called "Embed". And "Embed" itself embeds another object
60 If Test embeds "Embed" how does "Embed" locate the "Who" object ?
61 A) Will it start looking at it's local position ?
62 B) Will it start looking at Test's position ?
64 I tried with Zope and it always embeds Who.dtml (B) - that is,
65 lookup for any "subobject" seems to go over the root-context
66 traversal hierarchy and not relative to the object's position.
68 I'm currently unsure whether that's a good solution, since when
69 designing a reusable component (or template) you probably want to keep
70 the associated resources in the component's location, not in the
71 location where the component is used ...
72 Indeed this is how it works in SkyPublisher.
75 All this gets even more tricky if you consider URL processing. Zope
76 does not do any URL processing resulting in a similiar problem. When
77 you write to reusable component you are probably thinking in the
78 context of that component, not in the context of the invocation. So
79 it probably makes perfect sense to rewrite URLs.
82 Products: a product can use "filename" bindings to trigger the resource
83 manager and this will return a product-relative URL. Maybe we can use that
84 for templates as well (eg Manage-Templates ?)
89 Should we use .xtmpl as the extension for templates and forbid web-access
91 Maybe we should even create a custom OFSWebMethod subclass for templates.
94 We currently do not support sites without a template :-( This is because
95 NGObjWeb currently always "finds" a component, even if it has neither a
96 template nor a class (probably something todo with scripting or forms).
98 Note: just remembered about Zope Page Templates ZPT which are similiar to
100 How are ZPT templates activated ?
103 Templates vs WebMethods
104 =======================
106 What's the difference between a web-"method" and a "template" ? Both operate
107 on a document (the "clientObject") to perform some tasks.
109 Method: /folder/index.html/manage
110 Template: /folder/index.html?template=manage
112 Apparently templates and methods are quite similiar. In practice they are not
113 and can be used in conjunction. "Methods", like the name suggests, are intended
114 to perform some operation, eg "adduser", while "templates" are for *rendering*
115 objects (usually in HTML).
118 - Methods: for performing operations on behalf of the clientObject
119 - Templates: for rendering a clientObject
121 It's a bit difficult to get that right and to decide what is best for a given
124 You most often use templates for automatic reuse of HTML "frames", eg instead
127 <dtml-var standard_html_header>
129 <dtml-var standard_html_footer>
131 In SOPE you simply defined a Main.xtmpl which does that for you. It's also
132 very common to use templates to provide navigation, banners, etc.
134 A template is somewhat like the thing known as a "skin", eg in the management
135 interface you activate a "management skin".
138 File Extensions and Class Hierarchy
139 ===================================
141 One problem with file-extensions is that they do not represent the SoClass
142 hierarchy. Consider that you are looking for a "user-folder" to perform
143 authentication. So the straight forward approach would be to walk up the
144 context and look for a child which has the ".userfolder" extension, eg:
149 But this would defeat the whole purpose of user-folders and SoClasses, you
150 cannot replace the folder class with an "LDAPUserFolder", because extensions
151 are bound to classes.
153 Some ideas to solve this problem:
154 - define a default which contains the sequence of the extensions to look up
155 (too limited, a new default for *each* kind of resource ?)
156 - instantiate each object and look at it's class
157 (too expensive, SOPE idea is to avoid instantiation if possible)
158 - look at a fixed name instead of the extension (eg acl_users.*)
159 - maybe, a bit limiting
160 - let the content-negotiation decide (like above)
161 - maybe, but how do we feed to negotiator ? Hm.
163 Currently I think we need to extend the SoClass system to provide a list.
165 [SoClass gimmeAllExtensionsForClassAndIncludeParents:YES
170 Similiar problem exists with various lookups. Eg "gimme a template" - currently
171 we can only lookup templates that end with ".xtmpl".
177 How does a security lookup flow ? Eg what leads to a 401 if the protected
178 'manage' method is called ? When are authenticators triggered ?
180 First: the SoSecurityManagerDebugEnabled default is your friend :-) By
181 activating that you can easily find out why access to a specific object
182 was denied or permitted (eg what role was selected)
185 - if a path is traversed, each 'name' is validated prior being queried by
186 calling the -validateName:inContext: method on the container
187 - the default-implementation in turn calls -validateName:ofObject:inContext:
188 on the shared security manager (SoSecurityManager object)
189 - the security manager first validates the object itself by calling
190 -validateObject:inContext:, this method checks whether a object is declared
191 public or which permissions are required to access the object
192 - if a permission is required, the security manager calls
193 -validatePermission:onObject:inContext:, this methods
194 - determines the "roles" which provide the permission (currently only by
195 using the class security info)
196 - then calls -userInContext:object: to get a SoUser object
197 - then compares the roles associated with the user and the roles required
198 to find out whether to allow access
205 In Zope a manager is basically the same thing like a developer since the ZMI
206 provides the development environment. In SOPE things are intended to be a bit
207 different, more like in traditional WO development.
209 Especially I would like to avoid the requirement to deploy the management
210 interface on the live site ! In contrast I would like to run a development
211 system for editing the web application and a deployment system for running the
212 application. Basically all things are intended to be read-only on the deployed
213 system (if only for security reasons).
215 This has some side-effects:
216 - different user-management in the deployed site ?
217 - manage dynamic site data *not* in SoOFS !
219 Eg an easy way to deploy a site would be a read-only subversion checkout area
220 which is updated periodically.
223 - dislike mix of templates and content
224 - dislike "live" editing of things, even if happening in a snapshot
225 - security issues, disable everything not required on the live site
226 (eg WebDAV write access)
229 "Special" Method Name Form Values
230 =================================
232 We currently support three "special" form-values that are processed during
235 a) Cmd, eg ?Cmd=freebusy
236 b) :method, eg ?:method=addFolder
237 c) XXX:method, eg ?XXX:method=blah
239 The first is for compatibility with ASP, the second is convenient for
240 attaching methods to form elements like popups and the third is for attaching
241 methods to submit buttons which display their value in the browser.
247 How does a template stored in a product (bundle) acquire it's resources ? In
248 Zope it seems to use a special "/p_/" path, eg the ZMI tab locates it's images
249 using "/p_/ltab.gif" - search for "Using the p_ folder" in Google.
251 This is related to the acquisition of relative resources.
255 Resource Manager and Bundles
256 ============================
258 Problem: WOResourceManager cannot discover templates in bundles since the
259 application wide manager only looks in it's own path.
261 This is not really necessary since classes know their bundles and therefore
262 could locate templates using that information. But bundle classes should also
263 be able to "see" all the other components for embedding, so we can't simply
264 restrict the lookup to a bundle local manager.
266 Skyrix41e WebUI does that by creating an own, global, LSWResourceManager which
267 uses the NGBundleManager and the bundle-info.plist to locate resources.
270 ... for now I have added SoComponent as a superclass which uses the product
273 Problem: pageWithName: uses the global resource manager to lookup components.
274 - the WOResourceManager *does* find the class
275 - but it does *not* find the template
276 => need a way in WOResourceManager to map a class to a different RM ?
277 - currently pages can only be loaded by the global resource manager
278 => put a hack into WOResourceManager, check's the class' bundle path
281 Acquisition of Templates
282 ========================
284 When we acquire a template by name on a custom object which itself is private
285 the custom object will reject the request for the template resource name with
286 a security exception.
287 This will abort the whole traverse-key method even though the container (or a
288 parent of the container has a perfectly valid template with public access).
290 Well, right now we allow public access to OFSImage and OFSPropertyListObject
291 to work around that issue, yet it may not be the "preferred" solution.
293 - treat a security exception like a missing resources .. urks, nope, this is
294 properly no good solution ...
295 - always lookup the template in the container?
296 - if the lookup fails in the object itself, lookup the template in the
298 - somehow check whether the object itself does intend to deal with such keys
299 at all (try something like hasKey: before attempting to use validateKey: on
300 an object which does not have it anyway ...)