Re: [Templates] Mostly OT: Web-based editing

[prev] [thread] [next] [Date index for 2004/10/12]

I really think the security issue can be mitigated give the "right kind of 
coding."  My site, for example, keeps the database logic in a set of modules 
which are instantiated as objects in the scripts.  I have a one-to-one 
script/template ratio, so most logic runs in the scripts and the resulting 
objects are passed off to the template processor.

So, when a user comes along to modify a template, say to have the middle name 
of a member displayed when displaying the full name, they can manipulate the 
passed objects all they want.  But they can't do anything that the web-user 
doesn't have permission to do, and because they don't have access to database 
handle they can't mess around with the database without a new username and 
password to establish a connect from within a template directive.

While I'm sure there are security issues I haven't thought of, I really 
believe its possible to minimize the risk.  My biggest issue, so far, is 
having people with limited HTML knowledge try to handle template directives.

-Sean

On Tuesday 12 October 2004 10:59 am, Ovid wrote:
> --- Tosh Cooey <tosh@xxxxxxxxx.xxx> wrote:
> > I have a bunch of sites running with TT2 and I'd like to allow the
> > clients to edit the template FILES via a web interface.
>
> While I suppose it wouldn't be too hard to put something like this
> together, what you're effectively doing is allowing people to write
> code that runs on your box.  This would be a massive security hole.
>
> A better solution would be a system which allows people to choose
> "sections" or something similar that allows them to reorganize things,
> if needed (such as choosing a different layout, different CSS,
> different components, etc.)
>
> Cheers,
> Ovid
>
> =====
> Silence is Evil           
> http://users.easystreet.com/ovid/philosophy/decency.html Ovid              
>         http://www.perlmonks.org/index.pl?node_id=17000 Web Programming
> with Perl  http://users.easystreet.com/ovid/cgi_course/
>
> _______________________________________________
> templates mailing list
> templates@xxxxxxxxxxxxxxxx.xxx
> http://lists.template-toolkit.org/mailman/listinfo/templates

        -- 
        Sean Kellogg
2nd Year - University of Washington School of Law
GPSS Senator - Student Bar Association
Editor-at-Large - National ACS Blog [http://www.acsblog.org]
c: 206.498.8207    e: skellogg@x.xxxxxxxxxx.xxx

"Use what talents you possess: the woods would be very silent if no birds
sang there except those that sang best."
              -- Henry Van Dyke

_______________________________________________
templates mailing list
templates@xxxxxxxxxxxxxxxx.xxx
http://lists.template-toolkit.org/mailman/listinfo/templates