Re: [Zope-dev] RE: objectIds accessiblilty & and a proposal
Toby Dickenson writes:
... protocol specific access rights ... Please No.
Zope security is complex enough without having to worry about different security settings depending on how a method is accessed. (And we should have a lower tolerance for complexity when it applies to security)
If a user has permission to access a method then he should be able to access it any way (xmlrpc, ZPublisher, DTML, PythonMethods) I agree with you mostly.
But it might be a significant difference, whether you access via HTTP or HTTPS or even a protocol that provides trusted authentication. Furthermore, I would not bring DTML and web access on the same level: There are objects, that should be usable by Anonymous inside DTML but should not be viewable over the web (as they will only confuse). All page components (such as "standard_html_header/footer") fall into this category. Dieter
[Dieter Maurer] | There are objects, that should be usable by Anonymous inside DTML | but should not be viewable over the web (as they will only confuse). | All page components (such as "standard_html_header/footer") fall | into this category. Do you have any idea of how this could be done nicely?
Dieter Maurer wrote:
There are objects, that should be usable by Anonymous inside DTML but should not be viewable over the web (as they will only confuse). All page components (such as "standard_html_header/footer") fall into this category.
Totally agree... this has bugged em right since I started usign Zope! :-S cheers, Chris
participants (3)
-
Chris Withers -
Dieter Maurer -
Erik Enge