[PATCH]Web tracebacks should be disable-able

[twisted-trac]

	@itamarst reported
Trac ID	trac#135
Type	defect
Created	2003-07-28 06:09:53Z

Attachments:

• utils.py.patch (530 bytes) - added by rich on 2003-08-07 05:23:12Z -
• view.py.patch (2266 bytes) - added by rich on 2003-08-07 05:23:59Z -
• server.py.patch (481 bytes) - added by rich on 2003-08-07 05:27:31Z -
• web.py (972 bytes) - added by rich on 2003-08-07 05:41:29Z -
• server.py.2.patch (1498 bytes) - added by rich on 2003-08-07 06:06:30Z -

Searchable metadata

trac-id__135 135
type__defect defect
reporter__itamarst itamarst
priority__high high
milestone__ 
branch__ 
branch_author__ 
status__closed closed
resolution__fixed fixed
component__web web
keywords__ 
time__1059372593000000 1059372593000000
changetime__1140919209000000 1140919209000000
version__ 
owner__dp dp

[twisted-trac]

	@itamarst commented

#!html
<pre>
Showing the source and locals etc. is a security risk (e.g.
it will display the RPY where you store your database
usernamenpasword config, etc..)

Thus, it should be off by default. I recommend a ".debug =
False" attribute on Site that can be set to True.

</pre>

[twisted-trac]

	@glyph commented

#!html
<pre>
Nope, this should be turned on by default, since when you
are using defaults you are typically developing.  System
administrators can make this a site-local default by adding
to sitecustomize.py or somesuch.

</pre>

[twisted-trac]

	@glyph commented

#!html
<pre>
We have agreed that users must be able to disable web
tracebacks, regardless of what the default behavior should
be.  We can argue about that later.  Who wants to volunteer
to fix this? :)

</pre>

[twisted-trac]

	@glyph commented

#!html
<pre>
looks like you are the "volunteer", lv

</pre>

[twisted-trac]

	LordVan commented

#!html
<pre>
/me ? ;)

</pre>

[twisted-trac]

	syver commented

#!html
<pre>
I need a quick fix for this behaviour, where in the source 
should one go to put the if on the debug flag.

</pre>

[twisted-trac]

	rich commented

#!html
<pre>
I've attached three patches that address this. First is a patch to 
server.Site to add a displayTraceback attribute. This defaults to True.

Second is the patch to view.View. This checks the site's displayTraceback 
attribute in renderFailure. If it's false it writes self.genericFailure which 
can be overriden in a subclass.

The last patch is to utils.renderFailure to make it continue to log the 
tracebacks but skip the request.write based on the flag in site.

</pre>

[twisted-trac]

	rich commented

#!html
<pre>
For the sake of completeness I've added a fourth patch. This adds an 
option to twisted.tap.web to toggle displaying tracebacks from mktap.

</pre>

[twisted-trac]

	rich commented

#!html
<pre>
new patch for server.py that handles twisted.web as well as woven

</pre>

[twisted-trac]

	@itamarst commented

#!html
<pre>
To remind me to look at this.

</pre>

[twisted-trac]

	@itamarst commented

#!html
<pre>
Donovan, could you go about applying patches / fixes to woven and nevow for
this? I applied the applicable patches to twisted.web.

(it's utils.py and view.py).

I changed the attribute name to displayTracebacks.
</pre>

[twisted-trac]

	@jerub set status to closed

Fixed a long time ago.