If you type in http://www.zope.org/Members/objectIds you get a list of all Members. Although it is a useful feature.. ;) .. I can't really see why objectIds should be available for everyone, at any given time.
Is this a bug or a feature?
I was able to do this as anonymous on another Zope site as well. It basically lets you do a directory listing of any folderish object. Using objectValues, you can learn the type of objects that live there too.
This lets you learn about all objects, even if you do not have view rights to the object listed. However, you do need view rights to the folder you are calling objectIds for.
This does seem to me like a way for clandestine users to learn more information about your site than they need to know. Perhaps this "feature" needs to be locked down.
This is something that has come up before. I propose that the real problem here is that 'objectIds' should not be web-traversable. I have, in fact, proposed this before. It caused a bit of grumbling among people using xml-rpc, who were using objectIds remotely, so we never came to closure on it. This comes up often enough that I'm inclined to do something about it for 2.3. I propose that objectIds (and objectValues) will not be directly accessible via the Web in 2.3. For xml-rpc applications, it should be a simple enough task to create a Python Script (or even a DTML Method) that *is* Web accessible to relay that information if it is needed. Thoughts? Brian Lloyd brian@digicool.com Software Engineer 540.371.6909 Digital Creations http://www.digicool.com