Toby Dickenson writes:
 > > ... protocol specific access rights ...
 > Please No.
 > Zope security is complex enough without having to worry about
 > different security settings depending on how a method is accessed.
 > (And we should have a lower tolerance for complexity when it applies
 > to security)
 > If a user has permission to access a method then he should be able to
 > access it any way (xmlrpc, ZPublisher, DTML, PythonMethods)
I agree with you mostly.

   But it might be a significant difference, whether
   you access via HTTP or HTTPS or even a protocol that
   provides trusted authentication.

Furthermore, I would not bring DTML and web access on the same

   There are objects, that should be usable by Anonymous
   inside DTML but should not be viewable over the
   web (as they will only confuse).
   All page components (such as "standard_html_header/footer")
   fall into this category.


Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to