> Hmm, another ZAZ fan :-)
Don't get me started... :^)
> > a holdover from the bobo days - if you are a method and you have a
> > docstring, you are accessible through the web (but still subject to
> > the std security rules). objectIds and objectValues are a good
> > example of things that really only want to be used from DTML and
> > thus shouldn't have docstrings. I've changed this (and a few other
> > iffy methods) for the next release.
> Won't this break Amos' XML-RPC-based editor and similar hacks?
Waaa.... probably. Ok, so I've _provisionally_ changed this in
the current CVS. I feel a to-the-death-cage-match coming on.
> Can't you just turn off 'Access contents information' permission or
> whatever it is on a folder if you don't want people to call
> those things trough the web?
Yes you could, except that you would also make them inaccessible
from DTML (or from anywhere else) for the same class of users.
Is it really acceptable that in order to use <dtml-in objectIds>
on a page that needs to be accessible to anonymous users that I
must grant 'Access contents information' to anonymous users and
thus give them the ability to inspect my objects if they want to?
I have a feeling that intent will need to become more important
somehow in the future. As we add more protocols and types of
usage to Zope, it becomes harder for a single permission to
really cover a resource in a way that makes sense for all of
the various usages. From the point of view of an xml-rpc based
client app, having objectIds and the like may be an absolute
necessity, while from a pure HTTP standpoint many would
at best consider it superfluous or at worst consider it
a security hole.
*sigh*. Maybe the right short-term thing is to just leave it
the way it was and tell people who may be concerned about it
to turn it off via that permission and live the repercussions
that will have in their DTML. I guess at least that way the
software isn't taking the choice out of their hands.
Brian Lloyd [EMAIL PROTECTED]
Software Engineer 540.371.6909
Digital Creations http://www.digicool.com
Zope-Dev maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists -