Toby Dickenson writes:
... protocol specific access rights ... Please No.
Zope security is complex enough without having to worry about different security settings depending on how a method is accessed. (And we should have a lower tolerance for complexity when it applies to security)
If a user has permission to access a method then he should be able to access it any way (xmlrpc, ZPublisher, DTML, PythonMethods) I agree with you mostly.
But it might be a significant difference, whether you access via HTTP or HTTPS or even a protocol that provides trusted authentication. Furthermore, I would not bring DTML and web access on the same level: There are objects, that should be usable by Anonymous inside DTML but should not be viewable over the web (as they will only confuse). All page components (such as "standard_html_header/footer") fall into this category. Dieter