> > .... This is because the thing which makes
> > the problem hard is that something like standard_html_header
> wants to be
> > editable by Managers TTW, which means it also has to be visible TTW.
> > However, it's probably not something you want exposed to anonymous
> > users, especially as a TTW enitity in its own right. objectIds is my
> > other favourite example ;-)
OK, I'm still a newbie, and in particular I have yet to get my head round
zope security properly. But I'm going to attempt to comment on this anyway.
For me, the 'visibility' problem is a real bugbear. Apart from the
'security' issue of anon. users being able to list objectIds, it means I am
loathe to allow clients to manage their sites through the manage interface.
This is because they'll see it littered with methods which pop up a login
box whenever they click on them. It looks horrible and unprofessional.
Anyway, I agree with Dieter / Chris. Adding a 'URL Traversable'
('listable'?) permission to all objects and then tweaking methods that do
the traversing (objectIds, objectValues) would presumably fix this? Would
this be easy? I've never had a look at the security internals, but I'm
looking forward to having a go...
Chris W was talking about adding security on a protocol level as well as an
object level, but I can't really see why you would only want to be able to
edit a document through webDAV but *not* TTW. In my mind, you're either
authenticated to do a task, or you're not. It doesn't matter *how* you do
it. That's why 'listable' or something like it would be a better name for
the permission than 'URL Traversable', IMHO (although they both sound
*ugly*). Someone mentioned they found the ftp access permission useful -
I'd be interested to know how / why.
Zope maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists -