Toby Dickenson writes:
> > ... protocol specific access rights ...
> Please No.
>
> Zope security is complex enough without having to worry about
> different security settings depending on how a method is accessed.
> (And we should have a lower tolerance for complexity when it applies
> to security)
>
> If a user has permission to access a method then he should be able to
> access it any way (xmlrpc, ZPublisher, DTML, PythonMethods)
I agree with you mostly.
But it might be a significant difference, whether
you access via HTTP or HTTPS or even a protocol that
provides trusted authentication.
Furthermore, I would not bring DTML and web access on the same
level:
There are objects, that should be usable by Anonymous
inside DTML but should not be viewable over the
web (as they will only confuse).
All page components (such as "standard_html_header/footer")
fall into this category.
Dieter
_______________________________________________
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )