Forum OpenACS Development: Some ideas about package structure ... comments?

Today packages generally have this directory structure, which is understood by the bootstrap code and the request processor:

/tcl (read by bootstrap code)
/www ("/package-key/foo" is mapped to "/package-key/www/foo" rp requires user have read priv)
/www/admin (request processor requires user have admin privs)

One issue is that currently packages put .gif, .jpg, .png and other image elements under various /www directories.  An issue for performance is the fact that references are then permission checked by the request processor, which typically isn't necessary.

Sloan created a global /graphics directory which is then not checked by the request processor, but this doesn't allow APMs packages by third parties to take advantage (as their files are all supposed to be in their package directory tree)

My proposal to fix this is simple: define "/www/resources" to be a directory that isn't permission checked by the request processor.  We already have the "/www/admin" precedent for treating a subdirectory of "/www" specially.  Package could then stash their little left and right arrow .gifs and the like there knowing that they'd be available whether or not the user's logged in and without any permission checking overhead.

The other issue concerns templates that are meant to be included, rather than referenced by URL.  For instance file-storage has a template named "folder-chunk" under its /www directory.  Now ... if permission checking is done by the caller of an includable template rather than the template itself, a security hole is introduced (potentially at least.)  Outsiders can call folder-chunk directly, in this example (though I think it does the proper permission checking, perhaps I should check!)  One way around this: put the template someplace where the request processor won't see it.

My suggestion is simple: /templates under the package key.  If an includable template is stuck there no one can reference it with an HTTP request, so relying on the caller doing security checking is no longer a security issue (if it is done properly, of course!)

So my suggestion is that we support the following structure:

/tcl
/www
/www/admin
/www/resources
/templates

What do others think?  I'd make the simple request processor change needed for /www/resources shortly.  Of course current packages would still work fine with files stored as they are, but I'd anticipate people would start taking advantage of the /www/resources directory to avoid permission checking quite soon, particularly in .LRN ...

We could do the same for cascading style sheets. Place those in /www/resources (either package specific or global).

I think this is the first half of what needs to be done for really useful CSS on a package by package basis -- which is the essence of "cascading". The second half (since the <link> elements have to go in the <head>, which is probably handled by a global template) is providing a mechanism to pass stylesheet references as properties up to more general templates or have global templates look up package stylesheets (by package id?). The former is probably be more useful since it would allow more freedom to specify particular stylesheets when necessary.

Hi,

I think the proposal is good.  I guess I am a offender of this security problem you have mentioned.  Since I normally put my templates, gif, css, etc. on a single folder.  Like www/templates/subsite1.

I think we should however use /includes rather than /templates since that is what we are particularly trying to secure.  The includes that do not do any checking. /includes is more explicit to tell the developer to place his includes in /includes.

I guess given this structure I would not have to structure my templates as:

/www/resources/subsite1
/includes/subsite1.

Maybe /templates is better since will put also masters there.  Anyway just suggesting that the name should be more obvious to the developer.

I like the idea. I guess I can undo what I've done by placing only an index.vuh file in the package /www directory and having the index.vuh map requests to /pages/* files.

Will this go into the 4.6 branch?

Randy

Don, you forgot to mention the www/doc special directory.

In fact, how about making the /packages/package-keywww/resources directory available as /resources/package-key/, just like we do with doc, so that you can rely on a fixed URL for your graphic, regardless of whether and where any packages are mounted.

That would be really useful for master templates, portlets, and other renderings, that don't necessarily know where the package is mounted.

/Lars

Are the security checks not going to take place in /resources even if the connection is secure via https? (my vote is that it never check permissions even if it is a secure connection). Currently RP treats permissions on secure connections differently then insecure ones. i.e. the public could not see the graphics in my /graphics directory on the https://site.com/register page without a hack to the  ad_login_page proc (found in packages/acs-tcl/tcl/security-procs.tcl file), though they could see it when on straight http:// ... is there a reason why the request processor treats permissions differently if you are connected via https?

Timo - I agree about putting the default template in acs-subsite.

Lars - after looking into things after our discussion earlier today why can't you just use "resources/foo.gif" and ignore the url to the mounted package?  If for some reason you *really* need a URL to the package that is guaranteed to work, why not use [ad_conn package_url]?  I don't know why the dotlrn package was written to reference /dotlrn in hardwired fashion, but changing to "resources/foo.gif" works just fine...and packages shouldn't be cross-referencing small graphics buried in other packages (other than our current kludge of using acs-subsite/www/shared, something we can fix as we get time)

I'm also adding a suggestion made by Jeff Davis: disallow execution of scripts in the unchecked resources directory.  Actually I'm only allowing one to reference .png, .gif, .jpg and .css files - I suppose we could parameterize this but is it necessary?  Packages need to be able to depend on a set of extensions being guaranteed to work and parameterizing the list would allow the site admin to break everything.

We also discussed using ns_returnfile to quickly return such content without going through a bunch of request processor codef.  I've reviewed the code that's executed when the request processor is in performance mode, and the path through the code to the ns_returnfile used to return non-script files is quite efficient and I don't think any special treatment is necessary.

i echo matthew's question about authentication under https - Don?

If it is the case, that's great, because it's getting annoying having to code in the kludge every time i setup a secure site.

Two points:

1) Since the special feature about /resources is that it's not permission-checked, could the name reflect that?  What about /public-resources or /public?

2) Can we make this the first TIP?  (Or OIP?)  One quick-and-dirty way to support the OIP process technologically might be a new forum.  Anybody can post, first post in a thread must be a full, formal OIP proposal; then the thread has a week or two (or whatever is in the OIP plan - we should link that in the forum title) to accumulate yes and no votes from the Core Team.  I'm sure this process has many drawbacks compared to a new custom package or a special version of Bugs, but are any of those drawbacks fatal?  If not, I hope we do this or something similar to get momentum in a formal OIP process.

Good point about .xql files - it is easy to get the request processor to not serve them and you're right, we shouldn't.  I don't want to move them all, though, it's very convenient having them in the same directory when developing/bug fixing.  And there are a lot of them, moving them would be a PITA.

As far as the TIP process goes I guess informally we've kinda done this as Jeff, Lars and I talked this over in private and we're also talking about it in public.

We really do need to get moving on the governance stuff, everyone seemed to run out of steam ...

Aldert,

Why would someone want to see the queries in browser? If he knows the name of the xql file (he has to, otherwise he can't load it with the browser), he can as well open it in emacs.

Realistically, is there any time a developer won't have ssh access to their server?  I mean ... not only do you *look* at your query files, you edit them...

Yes, I agree, it is rather useless without it ... I don't know why the original aDer(s) implementing this package turned it off by default.

But I know how to get it enabled by default: submit a patch!

I think I'll adopt Joel's suggestion of "public-resources" rather than "resources" to make clear the implications of puttng stuff there ...

I really think we should do this as a TIP.  It's simple and not very controversial, so we can focus our argument energy on process instead of content. :)  We're all waiting for one of us to get around to implemented a more complete system.  Meanwhile, we could go ahead and do it in a dedicated forum.  It wouldn't be perfect, but it would let us practice the organizational issues.  It would also uncover hidden requirements for a more complete technological solution.  If someone on the core team agrees, would you please set up the new forum?  The last available draft of the OpenACS TIP thing should be linked from the description or charter, and a summary of this thread could be the first TIP.

Dave. I think that's a good approach but not necessarily Joel's point, which I think is that we should take this oppotunity to implement or flesh out the governance proposals.

I think everyone has trust in Lars, Don and Jeff, but the fact  much of the discussion took place in private is because we hadn't worked out a lightweight governance bureacracy for deciding these issues.

Don called for reigniting the governance discussion, so I'll do so in another thread.

talli

Revised proposal: /tcl /www /www/admin /www/public-resources /template /test

• resources renamed to public-resources
• automated tests move out of /tcl to reflect the fact that they may be broader and more general.

We want to incorporate tclwebtest into the automated test framework so we can do page testing as well as API testing.

One more quick question. Don, did you create the acs-resources package mentioned above?

Thanks.

Randy

Thank you, Lars.