> How come you can browse things like the objectIds and objectValues
> methods through the web? Surely this is exposing information 
> that people
> shouldn't really know about?

You're right - and stop calling me shirley. :) This is something of
a holdover from the bobo days - if you are a method and you have a
docstring, you are accessible through the web (but still subject to 
the std security rules). objectIds and objectValues are a good 
example of things that really only want to be used from DTML and 
thus shouldn't have docstrings. I've changed this (and a few other
iffy methods) for the next release.

> While I'm at it, is there any way to make DTML methods accessible to
> objects (such as other DTML methods) but not through URLs 
> other than by
> a tortuous series of proxy roles?
> I've expressed views about an 'execute' permission in the 
> past but these
> have fallen on deaf ears.
> For example:
> http://www.codecatalog.com/standard_html_footer
> This is messy and there's no reason why it needs to be 
> exposed through a
> URL.

I don't have a good answer for you, though I tend to agree with 
you that some things just don't want to be accessed outside of 
some larger context. I'd like to hear some different viewpoints 
on how people think something like this should work...

Brian Lloyd        [EMAIL PROTECTED]
Software Engineer  540.371.6909              
Digital Creations  http://www.digicool.com 

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope )

Reply via email to