On Thu, 18 May 2000 16:55:37 +0200, Martijn Faassen
<[EMAIL PROTECTED]> wrote:
>Brian Lloyd wrote:
>> Yes you could, except that you would also make them inaccessible
>> from DTML (or from anywhere else) for the same class of users.
>>
>> Is it really acceptable that in order to use
>> on a pa
Martijn Faassen wrote:
> Various things. What you'd need is turn off 'view' permission by
> default for just about *everything* except possibly DTML Documents,
> otherwise it's just too easy to set up a site that exposes too
> much. Exposure to URLs should be turned off by default.
Well, this is
Martijn Faassen wrote:
>
> Brian Lloyd wrote:
> > Yes you could, except that you would also make them inaccessible
> > from DTML (or from anywhere else) for the same class of users.
> >
> > Is it really acceptable that in order to use
> > on a page that needs to be accessible to anonymous users
Tres Seaver wrote:
> I don't get the issue here, I guess; either anonymous users can view
> objectIds (through the web, through XML-RPC, whatever), or they can't
> (because you don't want them to have the information that a given
> object is there, I guess?)
Perhaps you just don't want to expose
Chris Withers wrote:
> The solution I proposed before is simple (maybe not to implement ;-) and
> I think solves all the problems:
>
> Split the current 'view' permission into two new permissions:
> 1. View - allow users to directly access an object through
> HTTP/FTP/XML-RPC/etc
> 2. Execute - a
Martijn Faassen wrote:
> So you have something like:
[snip]
> Of course this sounds like it could get unwieldy, unless there was
> some clear user interface.
This would be unwieldy, I prefer the suggestion I made (obviously ;-)
which gets around this...
> > From the point of view of an xml-rpc
Brian Lloyd wrote:
> Yes you could, except that you would also make them inaccessible
> from DTML (or from anywhere else) for the same class of users.
>
> Is it really acceptable that in order to use
> on a page that needs to be accessible to anonymous users that I
> must grant 'Access content
Ty Sarna wrote:
> Can't you just turn off 'Access contents information' permission or
> whatever it is on a folder if you don't want people to call
> those things trough the web?
Hm, but wouldn't that break a lot of code? You need Access contents
information if you're going to do something like a
Brian Lloyd wrote:
> I don't have a good answer for you, though I tend to agree with
> you that some things just don't want to be accessed outside of
> some larger context. I'd like to hear some different viewpoints
> on how people think something like this should work...
What the difference s
At 12:13 PM 5/18/00 +0100, Steve Alexander wrote:
>
>It occurs to me that there are two distinct "views" of the Zope tree.
>
> 1. The developer's / content manager's view
>
> 2. The end-user's view
>
Unfortunately, it's not just black-and-white, it's lots of shades of grey
in between. Management
Tres Seaver wrote:
>
> > Taking HTTP alone, for simplicity of expression; I suppose what I'm
> > asking for is that there are two HTTP servers for one Zope instance.
> > The one on port 80 (for example) only responds to those URLs that are
> > for public viewing. The one on port 8081 (for example
Chris Withers <[EMAIL PROTECTED]> opined:
>
> Brian Lloyd wrote:
>
> [snip]
>
> > > Won't this break Amos' XML-RPC-based editor and similar hacks?
> >
> > Waaa probably. Ok, so I've _provisionally_ changed this in
> > the current CVS. I feel a to-the-death-cage-match coming on.
>
> Horse b
Itamar Shtull-Trauring wrote:
>
> Chris Withers wrote:
>
> > PS: The XML-RPC stuff could just be given the nwe view permission for
> > objectIds, if it REALLY needs it... although this would mean the
> > docstrings thing would have to eb replaced, which isn't necessarily a
> > bad thing ;-)
>
>
Chris Withers wrote:
> PS: The XML-RPC stuff could just be given the nwe view permission for
> objectIds, if it REALLY needs it... although this would mean the
> docstrings thing would have to eb replaced, which isn't necessarily a
> bad thing ;-)
Yes, it really needs it. My XML-RPC uploading i
Brian Lloyd wrote:
[snip]
> > Won't this break Amos' XML-RPC-based editor and similar hacks?
>
> Waaa probably. Ok, so I've _provisionally_ changed this in
> the current CVS. I feel a to-the-death-cage-match coming on.
Horse before the cart?
Maybe the XML-RPC editor needs fixing 'cos some
>
> Hmm, another ZAZ fan :-)
>
Don't get me started... :^)
> > a holdover from the bobo days - if you are a method and you have a
> > docstring, you are accessible through the web (but still subject to
> > the std security rules). objectIds and objectValues are a good
> > example of things t
Ty Sarna wrote:
> Can't you just turn off 'Access contents information' permission or
> whatever it is on a folder if you don't want people to call
> those things trough the web?
"Default security hole" notwithstanding, I would second this. FWIW,
being able to type http://blah/objectIds is a pr
Brian:
> > While I'm at it, is there any way to make DTML methods accessible to
> > objects (such as other DTML methods) but not through URLs
> > other than by
> > a tortuous series of proxy roles?
> > I've expressed views about an 'execute' permission in the
> > past but these
> > have fallen
In article <[EMAIL PROTECTED]>,
Brian Lloyd <[EMAIL PROTECTED]> wrote:
> > How come you can browse things like the objectIds and objectValues
> > methods through the web? Surely this is exposing information
> > that people
> > shouldn't really know about?
>
> You're right - and stop calling me
> How come you can browse things like the objectIds and objectValues
> methods through the web? Surely this is exposing information
> that people
> shouldn't really know about?
You're right - and stop calling me shirley. :) This is something of
a holdover from the bobo days - if you are a method
Hi Duncan :-)
Cheers for the reply, but sorry, I'm not looking for a kludge solution.
I'm trying to find out if this is as intended, in which case there must
be a reason behind it (?!) or if it's a bug, in which case it needs to
be squashed...
thanks again,
Chris
_
> While I'm at it, is there any way to make DTML methods accessible to
> objects (such as other DTML methods) but not through URLs other than by a
> tortuous series of proxy roles? I've expressed views about an 'execute'
> permission in the past but these have fallen on deaf ears.
>
You could pro
22 matches
Mail list logo