I've realized an itch, that I can easily scratch myself, but will be tremendously more difficult for someone without SSH access to my machine:
How do I change templates? I'm asking this in the light of Site-Wide, ETP and Suvey (0.3d). Is it possible using a "template" package, and if yes, what security measures should we have to take.
Let me scatch my vision here:
The Templating package will allow you to edit all templates the various packages offer using a webfrontend. In a first step, all packages would have to tell the templating package, what template directory they have. We might define special types of templates for easy access to quick manipulations affecting the whole site (default-master, article-index..).
The templating package goes through the directory and scans in all template.tcl files, looking for variables that will be set in the context of the ADP. A structured view is presented to the user (all installed packages with templates), that allows the user to view, add and edit the current templates.
In the editing mode, the whole .adp file will be shown in a textarea and above or below you will see all variables available to you.
In the add mode, you will first have to select an existing template to start from and then edit your ADP. Why ? Well, how are you going to get the .tcl file otherwise.
Which brings me to the second part of the topic: Security. As you can do pretty nasty stuff with templates, a scanner has to be installed that prevents the template designer to include malicious code. I'd follow the idea of TIP 14 (https://openacs.org/forums/message-view?message_id=120544), but as Don said it might take a while. Maybe a check by the add/edit page would be enough?
I think we should in the medium run generate an RFC about this, also incorporating the idea of having templates depending on the package instance. I know Timo has worked on a templating system for Shar****, it would be good to talk about the design ideas behind it as well.
Jeff, do you see this doublicating your work on theming (https://openacs.org/forums/message-view?message_id=134257) ?