You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@velocity.apache.org by bu...@apache.org on 2003/05/30 00:21:48 UTC

DO NOT REPLY [Bug 20342] New: - new event handler for input directives (#parse, #include)

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=20342>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=20342

new event handler for input directives (#parse, #include)

           Summary: new event handler for input directives (#parse,
                    #include)
           Product: Velocity
           Version: 1.4
          Platform: All
               URL: http://nagoya.apache.org/eyebrowse/ReadMsg?listName=velo
                    city-dev@jakarta.apache.org&msgNo=7781
        OS/Version: All
            Status: NEW
          Severity: Enhancement
          Priority: Other
         Component: Source
        AssignedTo: velocity-dev@jakarta.apache.org
        ReportedBy: wglass@forio.com


I've created a simple but flexible new event handler that is called by the 
#parse and #include directive.  This event handler takes as an argument the 
resource path argument for #parse or #include, and returns a modified path 
indicating the resource to actually be returned.  If the event handler returns 
null, no page is included.

This has many uses.  A few examples.
-- Relative path.  All #include/#parse directives can be forced to refer to a 
directory relative to the current template
 
-- Security.  A page can be restricted to only be able to refer to a 
particular group of pages.
 
-- Localization.  Templates can include pages for a particular language or 
region, and the app can switch those pages to refer to a different language or 
region as appropriate.
 
This patch is 100% backwards compatible with existing templates and code.

Personally, I have urgent need of this feature.  My web app allows numerous 
(untrusted) users to upload templates into a common web space (each user has 
their own directory).  A major problem was that users could access other 
user's pages with #parse and #include.  In just a few lines of code, I've 
implemented a security-oriented implementation of this event handler to allow 
each user to only be able to include their own set of pages.  Without this 
event handler, I was not able to figure out a straight forward solution to 
this problem.
 
As a side note, I believe this presents an elegant way to solve this problem 
as well (allowing the developer to force paths to be relative to the template).
 
http://www.mail-archive.com/velocity-dev@jakarta.apache.org/msg07223.html
 

Best, WILL
 
P.S.  If this approach is acceptable to the committers, I'll go ahead and 
create test cases and documentation in relatively short order.  I've already 
built some informal test code.  I can't run "ant test" completely as it fails 
(on the encoding test), even without the patch, but it ran fine up until that 
point.

---------------------------------------------------------------------
To unsubscribe, e-mail: velocity-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: velocity-dev-help@jakarta.apache.org