4 Some Notes on the implementation ...
6 OFSWebMethod / SoTemplateRenderer
7 =================================
9 should a GET on OFSWebMethod
10 a) return the method and let a renderer instantiate the component
12 b) should a GET return the component
14 a) has the advantage that the renderer has more control and more
15 information about the thing being rendered
16 new: and: OFSWebMethod objects can be returned as method results !
17 b) has the advantage that the OFSWebMethod more directly corresponds
18 to a WOComponent and can be flexible about performing actions
20 The template-renderer doesn't need to have OFSWebMethod directly but
21 can rather use the clientObject in the context and it's hierarchy to
24 => for now we should return the component, maybe reconsider later
27 Acquision: lookupName vs traverseKey
28 ====================================
30 The question is: should -lookupName do acquisition if the flag is set,
31 or is the acquisition flag just a "hint" that acquisition is in progress ?
32 If it *does* acquisition, should it consider the traversal-stack in the
33 context ? What about 'binding' the result ? Currently the result is
34 bound to the position where it was located and not to the object the
35 lookup was performed on.
37 Currently the major difference in traverseKey is, that traverseKey
38 maintains the objectTraversalStack in the given context. This implies,
39 that for "sub-traversals" a new context should be created.
41 So for now -lookupName: acquires in the containment hierarchy if the
42 aquisition flag is turned on and traverseKey acquires along the context
45 Hm. This lookup issue needs to be cleared up and written down.
48 Acquisition of "relative" Resources
49 ===================================
51 Consider you have a page called "Test" which acquires and embeds
52 a component called "Embed". And "Embed" itself embeds another object
61 If Test embeds "Embed" how does "Embed" locate the "Who" object ?
62 A) Will it start looking at it's local position ?
63 B) Will it start looking at Test's position ?
65 I tried with Zope and it always embeds Who.dtml (B) - that is,
66 lookup for any "subobject" seems to go over the root-context
67 traversal hierarchy and not relative to the object's position.
69 I'm currently unsure whether that's a good solution, since when
70 designing a reusable component (or template) you probably want to keep
71 the associated resources in the component's location, not in the
72 location where the component is used ...
73 Indeed this is how it works in SkyPublisher.
76 All this gets even more tricky if you consider URL processing. Zope
77 does not do any URL processing resulting in a similiar problem. When
78 you write to reusable component you are probably thinking in the
79 context of that component, not in the context of the invocation. So
80 it probably makes perfect sense to rewrite URLs.
83 Products: a product can use "filename" bindings to trigger the resource
84 manager and this will return a product-relative URL. Maybe we can use that
85 for templates as well (eg Manage-Templates ?)
90 Should we use .xtmpl as the extension for templates and forbid web-access
92 Maybe we should even create a custom OFSWebMethod subclass for templates.
95 We currently do not support sites without a template :-( This is because
96 NGObjWeb currently always "finds" a component, even if it has neither a
97 template nor a class (probably something todo with scripting or forms).
99 Note: just remembered about Zope Page Templates ZPT which are similiar to
101 How are ZPT templates activated ?
104 Templates vs WebMethods
105 =======================
107 What's the difference between a web-"method" and a "template" ? Both operate
108 on a document (the "clientObject") to perform some tasks.
110 Method: /folder/index.html/manage
111 Template: /folder/index.html?template=manage
113 Apparently templates and methods are quite similiar. In practice they are not
114 and can be used in conjunction. "Methods", like the name suggests, are intended
115 to perform some operation, eg "adduser", while "templates" are for *rendering*
116 objects (usually in HTML).
119 - Methods: for performing operations on behalf of the clientObject
120 - Templates: for rendering a clientObject
122 It's a bit difficult to get that right and to decide what is best for a given
125 You most often use templates for automatic reuse of HTML "frames", eg instead
128 <dtml-var standard_html_header>
130 <dtml-var standard_html_footer>
132 In SOPE you simply defined a Main.xtmpl which does that for you. It's also
133 very common to use templates to provide navigation, banners, etc.
135 A template is somewhat like the thing known as a "skin", eg in the management
136 interface you activate a "management skin".
139 File Extensions and Class Hierarchy
140 ===================================
142 One problem with file-extensions is that they do not represent the SoClass
143 hierarchy. Consider that you are looking for a "user-folder" to perform
144 authentication. So the straight forward approach would be to walk up the
145 context and look for a child which has the ".userfolder" extension, eg:
150 But this would defeat the whole purpose of user-folders and SoClasses, you
151 cannot replace the folder class with an "LDAPUserFolder", because extensions
152 are bound to classes.
154 Some ideas to solve this problem:
155 - define a default which contains the sequence of the extensions to look up
156 (too limited, a new default for *each* kind of resource ?)
157 - instantiate each object and look at it's class
158 (too expensive, SOPE idea is to avoid instantiation if possible)
159 - look at a fixed name instead of the extension (eg acl_users.*)
160 - maybe, a bit limiting
161 - let the content-negotiation decide (like above)
162 - maybe, but how do we feed to negotiator ? Hm.
164 Currently I think we need to extend the SoClass system to provide a list.
166 [SoClass gimmeAllExtensionsForClassAndIncludeParents:YES
171 Similiar problem exists with various lookups. Eg "gimme a template" - currently
172 we can only lookup templates that end with ".xtmpl".
178 How does a security lookup flow ? Eg what leads to a 401 if the protected
179 'manage' method is called ? When are authenticators triggered ?
181 First: the SoSecurityManagerDebugEnabled default is your friend :-) By
182 activating that you can easily find out why access to a specific object
183 was denied or permitted (eg what role was selected)
186 - if a path is traversed, each 'name' is validated prior being queried by
187 calling the -validateName:inContext: method on the container
188 - the default-implementation in turn calls -validateName:ofObject:inContext:
189 on the shared security manager (SoSecurityManager object)
190 - the security manager first validates the object itself by calling
191 -validateObject:inContext:, this method checks whether a object is declared
192 public or which permissions are required to access the object
193 - if a permission is required, the security manager calls
194 -validatePermission:onObject:inContext:, this methods
195 - determines the "roles" which provide the permission (currently only by
196 using the class security info)
197 - then calls -userInContext:object: to get a SoUser object
198 - then compares the roles associated with the user and the roles required
199 to find out whether to allow access
206 In Zope a manager is basically the same thing like a developer since the ZMI
207 provides the development environment. In SOPE things are intended to be a bit
208 different, more like in traditional WO development.
210 Especially I would like to avoid the requirement to deploy the management
211 interface on the live site ! In contrast I would like to run a development
212 system for editing the web application and a deployment system for running the
213 application. Basically all things are intended to be read-only on the deployed
214 system (if only for security reasons).
216 This has some side-effects:
217 - different user-management in the deployed site ?
218 - manage dynamic site data *not* in SoOFS !
220 Eg an easy way to deploy a site would be a read-only subversion checkout area
221 which is updated periodically.
224 - dislike mix of templates and content
225 - dislike "live" editing of things, even if happening in a snapshot
226 - security issues, disable everything not required on the live site
227 (eg WebDAV write access)
230 "Special" Method Name Form Values
231 =================================
233 We currently support three "special" form-values that are processed during
236 a) Cmd, eg ?Cmd=freebusy
237 b) :method, eg ?:method=addFolder
238 c) XXX:method, eg ?XXX:method=blah
240 The first is for compatibility with ASP, the second is convenient for
241 attaching methods to form elements like popups and the third is for attaching
242 methods to submit buttons which display their value in the browser.
248 How does a template stored in a product (bundle) acquire it's resources ? In
249 Zope it seems to use a special "/p_/" path, eg the ZMI tab locates it's images
250 using "/p_/ltab.gif" - search for "Using the p_ folder" in Google.
252 This is related to the acquisition of relative resources.
256 Resource Manager and Bundles
257 ============================
259 Problem: WOResourceManager cannot discover templates in bundles since the
260 application wide manager only looks in it's own path.
262 This is not really necessary since classes know their bundles and therefore
263 could locate templates using that information. But bundle classes should also
264 be able to "see" all the other components for embedding, so we can't simply
265 restrict the lookup to a bundle local manager.
267 Skyrix41e WebUI does that by creating an own, global, LSWResourceManager which
268 uses the NGBundleManager and the bundle-info.plist to locate resources.
271 ... for now I have added SoComponent as a superclass which uses the product
274 Problem: pageWithName: uses the global resource manager to lookup components.
275 - the WOResourceManager *does* find the class
276 - but it does *not* find the template
277 => need a way in WOResourceManager to map a class to a different RM ?
278 - currently pages can only be loaded by the global resource manager
279 => put a hack into WOResourceManager, check's the class' bundle path
282 Acquisition of Templates
283 ========================
285 When we acquire a template by name on a custom object which itself is private
286 the custom object will reject the request for the template resource name with
287 a security exception.
288 This will abort the whole traverse-key method even though the container (or a
289 parent of the container has a perfectly valid template with public access).
291 Well, right now we allow public access to OFSImage and OFSPropertyListObject
292 to work around that issue, yet it may not be the "preferred" solution.
294 - treat a security exception like a missing resources .. urks, nope, this is
295 properly no good solution ...
296 - always lookup the template in the container?
297 - if the lookup fails in the object itself, lookup the template in the
299 - somehow check whether the object itself does intend to deal with such keys
300 at all (try something like hasKey: before attempting to use validateKey: on
301 an object which does not have it anyway ...)