Is there a restricted execution solution that works with ERb or any other Rails templating format? I''m writing a CMS and would like to allow my users to execute a very limited set of methods. Specifically, I''d like to allow them to call a predefined set of methods on a predefined object. They can specify any of the core datatypes - strings, numbers, arrays, hashes - as arguments. Any way to do that in Rails? Thanks in advance, Maurice B. Gladwell -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
nicholas.henry-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
2007-May-13 16:22 UTC
Re: Can Rails have views with restricted execution?
Sounds like Liquid templating engine is what you are looking for: http://home.leetsoft.com/liquid On May 13, 9:14 am, Maurice Gladwell <rails-mailing-l...@andreas- s.net> wrote:> Is there a restricted execution solution that works with ERb or any > other Rails templating format? > > I''m writing a CMS and would like to allow my users to execute a very > limited set of methods. Specifically, I''d like to allow them to call a > predefined set of methods on a predefined object. They can specify any > of the core datatypes - strings, numbers, arrays, hashes - as arguments. > > Any way to do that in Rails? > > Thanks in advance, > Maurice B. Gladwell > > -- > Posted viahttp://www.ruby-forum.com/.--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Maurice Gladwell
2007-May-13 22:40 UTC
Re: Can Rails have views with restricted execution?
On May 13, 7:22 pm, nicholas.he...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org wrote:> Sounds like Liquid templating engine is what you are looking for: > > http://home.leetsoft.com/liquidThanks a lot, Liquid almost cuts it... but not quite. The most powerful tool in the Liquid set is Liquid Drops. "Liquid Drops [1] Drops let you provide the user with custom functionality. They''re very much like a standard Ruby class, but have all un-needed and potentialy dangerous methods removed. From the user''s perspective a drop acts very much like a Hash, thought methods are accessed with dot-notation aswell as element selection. A drop method cannot be invoked with arguments. Drops are called just-in-time thus allowing you to lazily load objects." Problem is... I need to invoke them with (core data-types) arguments. I''ll keep looking. M. [1] http://home.leetsoft.com/liquid/wiki/HowTo#LiquidDrops> On May 13, 9:14 am, Maurice Gladwell <rails-mailing-l...@andreas- > > s.net> wrote: > > Is there a restricted execution solution that works with ERb or any > > other Rails templating format? > > > I''m writing a CMS and would like to allow my users to execute a very > > limited set of methods. Specifically, I''d like to allow them to call a > > predefined set of methods on a predefined object. They can specify any > > of the core datatypes - strings, numbers, arrays, hashes - as arguments. > > > Any way to do that in Rails? > > > Thanks in advance, > > Maurice B. Gladwell > > > -- > > Posted viahttp://www.ruby-forum.com/.--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
> Problem is... I need to invoke them with (core data-types) arguments.Radiant uses a tag based one called Radius or something? There''s also HAML, but I''m not sure it''s "safe" like liquid or radius. Other then that, you''re on your own... -- Rick Olson http://lighthouseapp.com http://weblog.techno-weenie.net http://mephistoblog.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Maurice Gladwell
2007-May-20 00:59 UTC
Re: Can Rails have views with restricted execution?
Thanks Rick, I''ve looked at Radius[1], and it''s much more powerful and suited to my needs than Liquid. Though to be fair, they have different design goals, with Liquid apparently more end-user oriented. The only thing Radius lacks is typed-arguments: all Radius arguments are Strings. Havn''t looked at HAML yet, though I suspect - as you did - that it lacks any sort of security layer, being a full-power ERb alternative. Generally I like Radius as a format a lot, even as something to learn from and improve on, so thanks for recommending it. M. [1] http://radiantcms.org/blog/archives/2006/09/18/how-to-understanding-radius-tags/ On May 14, 3:36 am, "Rick Olson" <technowee...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> > Problem is... I need to invoke them with (core data-types) arguments. > > Radiant uses a tag based one called Radius or something? There''s also > HAML, but I''m not sure it''s "safe" like liquid or radius. Other then > that, you''re on your own... > > -- > Rick Olsonhttp://lighthouseapp.comhttp://weblog.techno-weenie.nethttp://mephistoblog.com--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Maurice Gladwell
2007-May-20 01:03 UTC
Re: Can Rails have views with restricted execution?
Thanks Rick, I''ve looked at Radius[1], and it''s much more powerful and suited to my needs than Liquid. Though to be fair, they have different design goals, with Liquid apparently more end-user oriented. The only thing Radius lacks is typed-arguments: all Radius arguments are Strings. Havn''t looked at HAML yet, though I suspect - as you did - that it lacks any sort of security layer, being a full-power ERb alternative. Generally I like Radius as a format a lot, even as something to learn from and improve on, so thanks for recommending it. M. [1] http://radius.rubyforge.org/ On May 14, 3:36 am, "Rick Olson" <technowee...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> > Problem is... I need to invoke them with (core data-types) arguments. > > Radiant uses a tag based one called Radius or something? There''s also > HAML, but I''m not sure it''s "safe" like liquid or radius. Other then > that, you''re on your own... > > -- > Rick Olsonhttp://lighthouseapp.comhttp://weblog.techno-weenie.nethttp://mephistoblog.comRick Olson wrote:>> Problem is... I need to invoke them with (core data-types) arguments. > > Radiant uses a tag based one called Radius or something? There''s also > HAML, but I''m not sure it''s "safe" like liquid or radius. Other then > that, you''re on your own... > > -- > Rick Olson > http://lighthouseapp.com > http://weblog.techno-weenie.net > http://mephistoblog.com-- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---