Martijn Faassen wrote:
So you have something like:
[snip]
Of course this sounds like it could get unwieldy, unless there was some clear user interface.
This would be unwieldy, I prefer the suggestion I made (obviously ;-) which gets around this...
From the point of view of an xml-rpc based client app, having objectIds and the like may be an absolute necessity, while from a pure HTTP standpoint many would at best consider it superfluous or at worst consider it a security hole.
Well, yes, but its the same problem no matter what your protocol: Should a user be able to do something with a method or should a method used by user be able to do something with a method? The second case, the use is defined by the person who wrote the application, the first case it's defined by the (possibly malicious) user... This sounds a lot like proxy roles, I know, but they'er just to clumsy for this special case...
Um, is there a good workaround then, if you turn it off? I mean, if you turn off 'Access Contents Information' *and* you want a DTML method that generates an index of all subfolders, what do you do? Work with proxies?
Yes, lots of them and in a very complicated fashion which is easy to screw up and so defeat the point of doing it in the first place ;-) cynically, Chris PS: I'll try and cheer up later :S