[Ur] Can an Ur/Web server be made to create directories / write to files on the host Linux filesystem?

Mon May 18 05:32:16 EDT 2015

Hi! Here are 2 cents from my side: I've written urweb-callback library
which provides API for running server-side tasks. The library follows
the transactional semantics where possible. Also, it sends a callback
to a client upon completion - it was a non-trivial thing to implement.
The code is a bit bulky, but it works.
https://github.com/grwlf/urweb-callback

Also, there are earlier project uw-process which allows programmer to
spawn processes.

Regards,
Sergey

2015-05-18 11:21 GMT+03:00 Timothy Beyer <beyert at fastmail.net>:
> At Mon, 18 May 2015 00:38:17 -0300,
> Stefan Scott Alexander wrote:
>> I would like to make my Ur server interact in a few basic ways with the Linux filesystem:
>>
>> - writing files
>> - creating directories
>>
>> In order to ensure security, these kinds of filesystem operations performed by Ur/Web would
>> of course be tightly restricted to a very small predetermined set of functions, arguments,
>> and filesystem locations, and would only be able to be directly invoked from the server-side
>> (never from the client-side).
>>
>> Since Ur is specialized to be a webserver, I don't think there are any existing commands in
>> Ur itself which would allow the server to perform these interactions with the filesystem,
>> correct?
>
> If it is OK that the transaction might be restarted or interrupted, then using
> the C FFI on the server side for filesystem operations makes sense.
>
>> So I assume this would only doable via the C FFI (foreign function interface) using C
>> functions such as:
>>
>> - fputs in stdio.h
>> - mkdir in sys/stat.h
>
> Correct.  File management on the client side shouldn't be possible in normal
> circumstances, short of a browser plugin or specialized software installed on
> the client machine.
>
> As far as effectful operations on the server side are concerned, keep in mind
> that Ur/Web requires transactional semantics, so anything that performs effects
> that cannot be reproduced later must be approached with extreme caution (as far
> as I'm concerned, this risk applies to any web application framework, although
> maybe not all web developers will agree).
>
> In my case, I want to write non-transactional long-running effects on the
> backend, so I'm implementing a JSON RPC client to send requests to a long
> running haskell process that has a JSON RPC server, which in turn performs the
> unsafe operations.  This will be invaluable for file management related
> functionality (or anything truly stateful).
>
> If you're interested in that library, it isn't online yet, but soon it will be
> available (just got the proof of concept fully working).
>
> Whether or not this is a good idea is up for debate, but I'm going to
> experiment with this approach for the time being..
>
> Regards,
> Tim
>
> _______________________________________________
> Ur mailing list
> Ur at impredicative.com
> http://www.impredicative.com/cgi-bin/mailman/listinfo/ur