[server] demoapp status

Toby Elliott telliott at mozilla.com
Mon Oct 10 11:09:36 PDT 2011


On Oct 10, 2011, at 10:56 AM, Tarek Ziade wrote:

> On 10/10/2011 07:10 PM, Toby Elliott wrote:
>> Looks good. I like the readability of the api decorator.
>> 
>> On Oct 8, 2011, at 10:13 AM, Tarek Ziade wrote:
>> 
>>> Hey
>>> 
>>> I've reworked a little bit demoapp and added :
>>> 
>>> - the config files we had previously  (accessible as a config object via the request object)
>>> - the __heartbeat__
>>> - a __apidocs__ page that displays a list of webservices the application contains
>>> - a __config__ page to display the config file(s)
>>> 
>> Please make extra sure this is off by default and only accessible if you set a very specific conf variable and do a little rain
> 
> the flag to toggle them on will be on by default in a dev. environment, and deactivated at two levels in prod, like what we have right now, which is:
> 
> - an nginx rule that prevents access to /__<anything>   (I think it's specifically __debug__ + __heartbeat__ right now)
> - the flag removed, defaulting to not activated.
> 
> The Pyramid debug bar is already removed in production.ini by default btw
> 

I'm not worried about production. I'm worried about someone installing the server externally. They should have to explicitly enable the config page (accompanied by a scary warning in the config file). What are the odds that an external deployer will be in dev mode without realizing it? If zero, then I'm happy.

> 
> So, when you code you have to think about this and maybe move around functions, which can be annoying. An explicit list solves this.

Yeah, I think that's an acceptable tradeoff for this.

Toby



More information about the Services-dev mailing list