Eric Bréhault: Happy hacking with Plone
Talk by Eric Bréhault at the Plone Conference 2015 in Bucharest.
We, Plone developers, are architects. We build a sand castle. Then users play with it, love it, and break it. Children play with it and it gets broken. (Watch short video Les Vacances.) Conflict: users love it and want new features, and we despair. So we build a nuclear power plant. Unbreakable, but the users cannot play with that any longer. Well, maybe terrorists can play with it, but they are not are target audience.
Pharmakon: any medicine is also a poison.
Build an inflatable castle instead: it is bouncy (more fun for the children), robust (more fun for us), and terrorists do not like it.
Hackability is a feature. It is not a flow. It must be provided as a tool, something on top. If we lose this, we will lose part of our audience. We should have a hacking tool, not a hackable system. A moderen and pleasant web interface.
And we have it: the ZMI. Well... Using framesets, really?
We have the Plone theming editor. It is already a hacking tool. Non-Plone experts can change the entire theme. The Diazo theory behind it, is: "We write XSLT so you don't have to." In reality I am writing tons of XSLT, because there is a really detailed theme layout and lots of pieces of content that need to be hand-picked into it.
We need on-the-fly content changes with before and after: on-the-fly content insertion, also from 'remote' to insert a small page. We have this working, but it is not merged yet.
We want more. Create our own chunks of content and scripts when you only know Python and javascript, and some simple diazo to include it in your rules. This is what Rapido offers. Rapido is not a new Plomino, it is something different.
Rapido lives in the theme. Editable in the Plone UI or in the source. And then we use Diazo to inject it into Plone.
It is very simple. No zca, no zpt (or any templating language), no jbot, just html and python.
Demo. [Looks quite nice, check the video once it is uploaded.]
We use souper for persistance. You can store on the context, or on the user, or what you want
Is it secure? Python scripts are executed by zope.security.untrustedpython. All the regular security stack is applied, like current user privileges, CSRF policy, PostOnly. Just as secure as Diazo.
Rapido comes with a complete REST api with GET, POST, PUT, DELETE, PATCH. It is a ready-to-use JSON backend.
Rapido is Mosaic compliant, but does not depend on it. We just make a tile available to insert a Rapido element.
Questions?
Yes, you can import and export it and include it in a package or have it as a zip file, so you have it on the file system.
When will it be included in core? Not now. We may talk with the security team.
Debugging? More difficult: you cannot add a pdb, same as in the Python skin scripts. We can make something possible, at least show on which line something goes wrong.
Philip: You still need to know Plone when you access for example the portal root in the code you create. I am not sold on it, just like I was never a fan of .cpy files. You lose debuggability. But yes, it lowers the barrier of entry. I am not the target audience.
There are of course permissions, so you can decide who can use this. And you can use access lists in a yaml file.