Paul Winkler wrote:
On Sun, Jan 29, 2006 at 12:19:24PM +0100, Balazs Ree wrote:
So this is where I see the importance of this: allow access to a
method/template via RPC only, and disallow the method to be called
directly from the browser.

I'm curious.
How do you distinguish between a jsonrpc request and a direct
browser request?

There are a few attributes that distinguish a jsonrpc request in Zope3 from a direct browser request.

First, the request must be a POST with a content-type of "application/json-rpc". That is the listening handshake registered by jsonserver so that the request is handled as a JSONRPCRequest.

The URL for object traversal is the URL of the context object. The method to be performed is identified in the body of the request, and has a specific syntax for method and parameters. The methods on the server side are provided in a view class for the context object, and are protected by permissions registered in zcml. When jsonserver gets the request, the appropriate method of the view class is invoked in the context of the context object, and the results are returned in jsonrpc format.

The methods of the view class are not very different from methods of any other browser view class. In a page template, they would likely be accessible as "view/method_name". But they are also not accessible by direct URL traversal, unless you do extra work to allow that.

In Zope2, with ttw object methods, the distinction between a jsonrpc request and a direct browser request can be a bit blurred. Such a method would have a URL and would be ordinarily traversable in a direct browser request.

-Jim Washington
Zope3-dev mailing list

Reply via email to