Seb Bacon writes:
> For me, the 'visibility' problem is a real bugbear. Apart from the
> 'security' issue of anon. users being able to list objectIds, it means I am
> loathe to allow clients to manage their sites through the manage interface.
> This is because they'll see it littered with methods which pop up a login
> box whenever they click on them. It looks horrible and unprofessional.
I just tried what would happen (as I did not believe it would be
as bad as you described it):
* I gave "Anonymous" the "View Management Screens" permission
for a folder.
* I was then able to access the manage URL for the folder
(without authentication), but the main frame displayed
an acquired "index_html" rather than the folders content
* I tried to manage a containing DTML method, but a login
was requested: "No authentication header".
Apparently, DTML method management requires at least
an authenticated user.
Thus, I played with an authenticated user.
The behaviour was not too bad (though not completely satisfactory).
As you expected, the folder contents displayed all containing
objects, even objects I did not have "View" permissions.
When I clicked on such an object, I got an "manage_workspace" screen
with just the "ownership" tab. Not overwhelming but not too bad either.
When I had "View" permissions but no "change" permissions, I
did not get a "manage_workspace" screen, but the object was
viewed automatically. Not what I would have expected, but not too bad
When I had a "change" permission, I got the expected "manage_workspace"
> Anyway, I agree with Dieter / Chris. Adding a 'URL Traversable'
> ('listable'?) permission to all objects and then tweaking methods that do
> the traversing (objectIds, objectValues) would presumably fix this? Would
> this be easy? I've never had a look at the security internals, but I'm
> looking forward to having a go...
I think, the implementation would be easy.
Management, however, would be more difficult, as there are no
good defaults for the "URL Traversable" permission.
It is not easy, to determine (e.g.) for a DTML method/document
whether it is only used as a component (such as
"standard_html_header") or is a full grown presentation method.
Zope maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists -