> >This is something that has come up before. I propose
> >that the real problem here is that 'objectIds' should
> >not be web-traversable.
> >
> >I have, in fact, proposed this before. It caused a bit
> >of grumbling among people using xml-rpc, who were using
> >objectIds remotely, so we never came to closure on it.
>
> Please No.
>
> Zope security is complex enough without having to worry about
> different security settings depending on how a method is accessed.
> (And we should have a lower tolerance for complexity when it applies
> to security)
As a compromise, all I've done is make 'objectIds' and
'objectValues' non Web traversable. It is simple enough
for anyone who actually _wants_ to use them to write
a DTML Method like:
<dtml-return objectIds>
...and use that instead of calling 'objectIds' directly over
HTTP. This should make those concerned about the exposure of
names happier without placing much of a burden on those who want
them exposed, and does not complicate the security model.
FWIW, I agree that adding access method into the security
mix would add a great deal of complexity. It may turn out
to be necessary in the future, but I'm not yet convinced
of that.
Brian Lloyd [EMAIL PROTECTED]
Software Engineer 540.371.6909
Digital Creations http://www.digicool.com
_______________________________________________
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )
