On Mon, 18 Dec 2000 14:11:51 -0500, "Brian Lloyd" <[EMAIL PROTECTED]>
wrote:
>This is something that has come up before. I propose
>that the real problem here is that 'objectIds' should
>not be web-traversable.
>
>I have, in fact, proposed this before. It caused a bit
>of grumbling among people using xml-rpc, who were using
>objectIds remotely, so we never came to closure on it.
Please No.
Zope security is complex enough without having to worry about
different security settings depending on how a method is accessed.
(And we should have a lower tolerance for complexity when it applies
to security)
If a user has permission to access a method then he should be able to
access it any way (xmlrpc, ZPublisher, DTML, PythonMethods)
Conversely, if a user is given an "Access Denied" message using one
means of access (say, using ZPublisher) then he *must* also be denied
using every other one. Security testing is much harder without this
property.
If anyone is seriously worried about this a a problem then can already
deny Anonymous users the 'Access contents information' permission, and
grant a proxy role to methods that generate indexes. (Indeed, this may
make sense as the default configuration)
Toby Dickenson
[EMAIL PROTECTED]
_______________________________________________
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )