stewartpark
commented
8 years ago Hi whacked,
Sorry for the late response. I agree with you in the big picture. Having no means of excluding URL rules might become potentially problematic as the project gets bigger. i.e. performance issue, minor security issue you mentioned, etc.
To talk about solutions to this matter, I can think of two possible solutions: we can easily make a decorator that would exclude URL rules to a view function, or we can make an option to init_app for users to manually exclude certain URL rules. Tell me what you think is the best, also potential bugs/issues regarding the two aforementioned possible solutions you can think of!
Since you raised a valid point, I will have this issue keep opened and fix it in the future. Thanks for the input!
I was looking into using this but ended up writing a separate url helper to get around using back/front
url_forfor consistency because it was a simpler option.Regardless, it seems like the lack of an inclusion/exclusion criteria config for url rules here is a potential (minor) security hazard, because it currently outputs the entire ruleset into
jsglue.js. It's minor in the sense that we assume your URLs are already secure from unauthorized attacks, but not so minor in that you reveal information that should be obscure by design :-)Have you considered e.g. reading a config parameter like a regex that specifies inc/exc rules? These would be either a single regex string, or a list/tuple of strings (for exact matches) or regex strings.
Briefly, if an inclusion rule is given, all rules are excluded by default, except for those matching the rule. If exclusion given, all are included by default except for those matching. If both given, all are excluded, except those matching inclusion, with exclusion rules would act as subfilters.
I don't know if I'll come back to this library but if I do, and this is still open, I will add this feature. Thanks.