Martijn Faassen wrote:
> So you have something like:
> Of course this sounds like it could get unwieldy, unless there was
> some clear user interface.
This would be unwieldy, I prefer the suggestion I made (obviously ;-)
which gets around this...
> > From the point of view of an xml-rpc based
> > client app, having objectIds and the like may be an absolute
> > necessity, while from a pure HTTP standpoint many would
> > at best consider it superfluous or at worst consider it
> > a security hole.
Well, yes, but its the same problem no matter what your protocol:
Should a user be able to do something with a method or
should a method used by user be able to do something with a method?
The second case, the use is defined by the person who wrote the
application, the first case it's defined by the (possibly malicious)
This sounds a lot like proxy roles, I know, but they'er just to clumsy
for this special case...
> Um, is there a good workaround then, if you turn it off? I mean,
> if you turn off 'Access Contents Information' *and* you want a
> DTML method that generates an index of all subfolders, what do you
> do? Work with proxies?
Yes, lots of them and in a very complicated fashion which is easy to
screw up and so defeat the point of doing it in the first place ;-)
PS: I'll try and cheer up later :S
Zope-Dev maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists -