In article <613145F79272D211914B0020AFF640195A719F@gandalf.digicool.com>, Brian Lloyd <Brian@digicool.com> wrote:
How come you can browse things like the objectIds and objectValues methods through the web? Surely this is exposing information that people shouldn't really know about?
You're right - and stop calling me shirley. :) This is something of
Hmm, another ZAZ fan :-)
a holdover from the bobo days - if you are a method and you have a docstring, you are accessible through the web (but still subject to the std security rules). objectIds and objectValues are a good example of things that really only want to be used from DTML and thus shouldn't have docstrings. I've changed this (and a few other iffy methods) for the next release.
Won't this break Amos' XML-RPC-based editor and similar hacks? Can't you just turn off 'Access contents information' permission or whatever it is on a folder if you don't want people to call those things trough the web?