Toby Dickenson writes:
 > > ... protocol specific access rights ...
 > Please No.
 > 
 > Zope security is complex enough without having to worry about
 > different security settings depending on how a method is accessed.
 > (And we should have a lower tolerance for complexity when it applies
 > to security)
 > 
 > If a user has permission to access a method then he should be able to
 > access it any way (xmlrpc, ZPublisher, DTML, PythonMethods)
I agree with you mostly.

   But it might be a significant difference, whether
   you access via HTTP or HTTPS or even a protocol that
   provides trusted authentication.

Furthermore, I would not bring DTML and web access on the same
level:

   There are objects, that should be usable by Anonymous
   inside DTML but should not be viewable over the
   web (as they will only confuse).
   All page components (such as "standard_html_header/footer")
   fall into this category.


Dieter

_______________________________________________
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Reply via email to