Hi JP & co., I've just started playing with current ATHENA - very nice !!! Is there any deeper security reason to use the "allowedMethods" mapping additionally to the simple fact, that a fragment implements a method only if it is necessary? If not, please consider to apply attached patch. It makes the code and use of it a little bit simpler. Thanks for your great work, best regards, Paul Reznicek Index: nevow/athena.py =================================================================== --- nevow/athena.py (Revision 3368) +++ nevow/athena.py (Arbeitskopie) @@ -407,20 +407,18 @@ <form onsubmit="Nevow.Athena.refByDOM(this).callRemote('foo', bar); return false;"> - By default, only methods named in the C{allowedMethods} mapping - may be invoked by the client. """ - allowedMethods = {} - def rend(self, context, data): myID = self.page.addLocalObject(self) context.fillSlots('nevow:athena_id', myID) return super(LiveFragment, self).rend(context, data) def locateMethod(self, ctx, methodName): - if methodName in self.allowedMethods: - return getattr(self, methodName) + if not methodName.startswith('_'): + method = getattr(self, methodName, None) + if method: + return method raise AttributeError(methodName) Index: examples/athenademo/athenatest.py =================================================================== --- examples/athenademo/athenatest.py (Revision 3368) +++ examples/athenademo/athenatest.py (Arbeitskopie) @@ -23,7 +23,6 @@ tags.form(action='#', onsubmit='return test(test_ClientToServerArgumentSerialization(this));')[ tags.input(type='submit', value='Test Client To Server Argument Serialization')]]) - allowedMethods = {'test': True} def test(self, i, f, s, l, d): self.assertEquals(i, 1) self.assertEquals(f, 1.5) @@ -65,7 +64,6 @@ tags.form(action='#', onsubmit='return test(test_ClientToServerResultSerialization(this));')[ tags.input(type='submit', value='Test Client To Server Result Serialization')]]) - allowedMethods = {'test': True} def test(self, i, f, s, l, d): return (i, f, s, l, d) @@ -104,7 +102,6 @@ tags.input(type='submit', value='Test Client To Server Asynchronous Exception Result')]]) - allowedMethods = {'testSync': True, 'testAsync': True} def testSync(self, s): raise Exception(s) @@ -135,7 +132,6 @@ tags.form(action='#', onsubmit='return test(test_ServerToClientArgumentSerialization(this));')[ tags.input(type='submit', value='Test Server To Client Argument Serialization')]]) - allowedMethods = {'test': True} def test(self): return self.page.callRemote('test_Reverse_ServerToClientArgumentSerialization', 1, 1.5, u'hello', {u'world': u'value'}); @@ -159,7 +155,6 @@ tags.form(action='#', onsubmit='return test(test_ServerToClientResultSerialization(this));')[ tags.input(type='submit', value='Test Server To Client Result Serialization')]]) - allowedMethods = {'test': True} def test(self): def cbResults(result): self.assertEquals(result[0], 1) Index: examples/athenademo/typeahead.py =================================================================== --- examples/athenademo/typeahead.py (Revision 3368) +++ examples/athenademo/typeahead.py (Arbeitskopie) @@ -20,7 +20,6 @@ class TypeAheadFieldFragment(athena.LiveFragment): docFactory = loaders.stan(T.input(type="text", id="typehere", **athena.liveFragmentID)) - allowedMethods = { 'loadDescription' : True } def loadDescription(self, typed): if typed == '': Index: examples/livefragments/livefrag.py =================================================================== --- examples/livefragments/livefrag.py (Revision 3368) +++ examples/livefragments/livefrag.py (Arbeitskopie) @@ -40,11 +40,10 @@ def __init__(self, label, *a, **kw): super(CooperativeFrag, self).__init__(*a, **kw) - self.allowedMethods = {label: True} setattr(self, label, lambda: unicode(label)) def render_submit(self, ctx, data): - return "submitIt(this, '%s'); return false;" % (self.allowedMethods.keys()[0],) + return "submitIt(this, 'label'); return false;" class Root(rend.Page): def child_(self, ctx):