On Mon, 18 Dec 2000 14:11:51 -0500, "Brian Lloyd" <brian@digicool.com> wrote:
This is something that has come up before. I propose that the real problem here is that 'objectIds' should not be web-traversable.
I have, in fact, proposed this before. It caused a bit of grumbling among people using xml-rpc, who were using objectIds remotely, so we never came to closure on it.
Please No. Zope security is complex enough without having to worry about different security settings depending on how a method is accessed. (And we should have a lower tolerance for complexity when it applies to security) If a user has permission to access a method then he should be able to access it any way (xmlrpc, ZPublisher, DTML, PythonMethods) Conversely, if a user is given an "Access Denied" message using one means of access (say, using ZPublisher) then he *must* also be denied using every other one. Security testing is much harder without this property. If anyone is seriously worried about this a a problem then can already deny Anonymous users the 'Access contents information' permission, and grant a proxy role to methods that generate indexes. (Indeed, this may make sense as the default configuration) Toby Dickenson tdickenson@geminidataloggers.com