> > If you type in http://www.zope.org/Members/objectIds you get a list of
> > all Members. Although it is a useful feature.. ;) .. I can't really
> > see why objectIds should be available for everyone, at any given time.
> >
> > Is this a bug or a feature?
> I was able to do this as anonymous on another Zope site as well. It
> basically lets you do a directory listing of any folderish object. Using
> objectValues, you can learn the type of objects that live there too.
>
> This lets you learn about all objects, even if you do not have view
> rights to the object listed. However, you do need view rights to the
> folder you are calling objectIds for.
>
> This does seem to me like a way for clandestine users to learn more
> information about your site than they need to know. Perhaps this
> "feature" needs to be locked down.
This is something that has come up before. I propose
that the real problem here is that 'objectIds' should
not be web-traversable.
I have, in fact, proposed this before. It caused a bit
of grumbling among people using xml-rpc, who were using
objectIds remotely, so we never came to closure on it.
This comes up often enough that I'm inclined to do
something about it for 2.3. I propose that objectIds
(and objectValues) will not be directly accessible
via the Web in 2.3. For xml-rpc applications, it should
be a simple enough task to create a Python Script (or
even a DTML Method) that *is* Web accessible to relay
that information if it is needed.
Thoughts?
Brian Lloyd [EMAIL PROTECTED]
Software Engineer 540.371.6909
Digital Creations http://www.digicool.com
_______________________________________________
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )