-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jean-Marc Orliaguet wrote:

> I didn't know that methods needed to have docstrings to be traversable
> (it took me some time to find out why I was getting "Not found" errors
> on some of a tool's methods). Is there any reason to still have such a
> "feature" in Zope2.9?

"Publishable methods have docstrings" is the oldest security model in
Zope / Bobo.  It would open unknown security holes in 3rd party
applications if we removed that restriction.  Even setting the default
value of '__allow_access_to_unprotected_subobjects__' to False wouldn't
help, because there are many products which set that to True for their
objects, relying on the lack of docstring to make their methods safe
from direct URL access.

In fact, this restriction is *different* than the "permission-role" one:
 even methods whose roles are None (i.e. public), and therefore can be
called by scripts run by anonymous users, are prevented from being
"published" if they have no docstrings.

> or at least maybe there could be a hint in the
> trace log.

I *thinK* if you run in debug mode with verbose security turned on, it
suggests that as one possible reason.


Tres.
- --
===================================================================
Tres Seaver          +1 202-558-7113          [EMAIL PROTECTED]
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFD3h0R+gerLs4ltQ4RAlmLAKCrmf+35VoB3BDFS2EhmL/xdTsPgQCgsVOw
wQwUqnMOPLJcamP13ziZ4rQ=
=KoIC
-----END PGP SIGNATURE-----

_______________________________________________
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )

Reply via email to