Re: [Zope-dev] protocol accesibility

2001-01-05 Thread Chris Withers

Toby Dickenson wrote:
 
 On Fri, 05 Jan 2001 12:18:07 +, Chris Withers [EMAIL PROTECTED]
 wrote:
 
 http://www.zope.org//Wikis/DevSite/Proposals/ProtocolAccessibility
 
 So it is :-)
 
 Comments are still welcome...
 
 Comments provided as requested

With sensible defaults, what I was proposing would be just as simple as
things are now, but explicit and flexible.

For example, if you start a method name with _, it's not URL
traversable, or available in DTML. I have no idea about FTP but it
probabyl won't be accessible through DAV.

Alternatively, if you give a method in a python a doc string, it will be
URL traversable. Take that doc string away and it won't be url
traversable but will be accessible in DTML. Again, don't know about FTP
or DAV.

I agree the wording might be bad (that proposal is very old now), but
how can something that seeks to clearly define and document something
that has already been partially and accidentally implemented (as was
often the Zope way ;-) be a bad thing?

cheers,

Chris

PS: 

How would you hide things like standard_html_header and _footer from
users?

Access Contents Information is needed by a lot of methods (some of which
aren't available to give proxy roles to) that using it to prevent peole
from sniffing around in your site isn't feasible.

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )




Re: [Zope-dev] protocol accesibility

2001-01-05 Thread Chris Withers

Toby Dickenson wrote:
 
 IMO their goals are achieved better, and simpler, with a HOWTO
 that explains how to configure the 'access contents information' permission.

That's not been my experience, but maybe that How-To would help :-)
Care to write it? ;-)

 I think perhaps you havent appreciated the simplicity of the current
 arrangement - all protocols work the same.

That remains to be proved, even given the DTML wart you mentioned ;-)

 Your word 'accidentally' is a good hint as to the reason. A better (IMO)
 principal is 'protocol independance' - a method should behave the same no
 matter how it is called.

Protocol independence is not necessarily a good thing in this case.
Different protocols have different capabilities. For example, you might
trust someone a lot more if they were using HTTPS rather HTTP. 

So, there is a disagreement here. What I proposed would enable us both
to be happy, without anymore work on your part thanks to defaults that
leave things as they are now. Your point of view leaves only you happy
;-)

  How would you hide things like standard_html_header and _footer from
  users?
 
 Im not sure why they need to be, please explain. I dont think 'tidyness' is
 a sufficient reason. 

I do, and I'm sure others do to. It's doesn't look very professional
when things like http://www.zope.org/standard_html_header and
http://www.cbsnewyork.com/objectIds are left hanging out.
http://www.cbsnewyork.com/rubbish ain't none too nice either, likewise
http://www.cbsnewyork.com/manage...

cheers,

Chris

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )




Re: [Zope-dev] protocol accesibility

2001-01-05 Thread Chris Withers

Toby Dickenson wrote:
 
  That's not been my experience, but maybe that How-To would help :-)
  Care to write it? ;-)
 
 It is on my todo list

cool :-)

  Protocol independence is not necessarily a good thing in this case.
  Different protocols have different capabilities.
 
 The zope way of modelling different capabilities is through roles. The right
 way to achieve this is to allocate different roles based on protocol.

how do you do that? (refs to how-to's, docs, etc all good, just that I
never knew you could do that :-)

 You could do this today using LoginManager, which allows for roles to be
 *computed* during authentication. Give your users different roles depending
 on whether they use http or https. (

or ftp?

 Indeed, I would be keen to see this
 feature in the standard user folder)

Maybe that's what I should haev said in my proposal ;-)

 Note that protocol is not a key factor here: you might also trust them more
 if the socket connection comes from localhost.

very true

  http://www.zope.org/standard_html_header
 
 Can you explain *why* this is a problem? While I agree it's untidy, its only
 an untidyness seen by people who go looking for it.

Some people (or am I the only one ;-) don't really find that acceptable.
The paranoid part of me also wants to know that it isn't possible to
find this, as it should only be used by other stuff inside zope, why
should stuff outside of zope get to play with it?

  http://www.cbsnewyork.com/objectIds are left hanging out.
 
 I propose securing the 'access contents information' permission, and you
 havent explained why this is flawed.

Securing the permission? perhaps you could explain that a bit more :-S

  http://www.cbsnewyork.com/rubbish ain't none too nice either, likewise
 
 That document has since been removed. 

Nope, that's the point, it give a yucking Zope Error which lowers user
confidence, rather than saying 'that page wasn't found, perhaps you'd
like to look here or here', but, to be fair, that's because whoever
built that site didn't bother to make standard_error_message useful
(don't get me started on tacking tracebacks on the end of html generated
by that page ;-)

  http://www.cbsnewyork.com/manage...
 
 I get an authentication dialog so?

Hit cancel. Again, a yucky Zope error rather than saying 'sorry, your
username or password were wrong', or, in reference to this thread, not
actually being _visible_ to this protocol at all. eg: should raise a
404, as standard_html_header should ;-)

cheers,

Chris

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )