I'm afraid that info is also far too dynamic to be kept up to date. I can imagine two solutions: 1. A 'deny everything that isn't explicitly allowed' policy. One could tell Apache to allow requests only for objects containing a certain string, e.g. '_html'. This way propertyItems and so on wouldn't be accessible. This method would certainly require a lot of planning beforehand. 2. I always dreamt about a tool that in a first step (accessing ZODB directly) walks down the object tree and collects whatever is potentially accessible and then in a second step tries to access the collected items via http and displays the results (i.e. the URL of the accessible stuff). This way it would be easy to find out what happens when you change permissions. Ragnar
Ragnar Beer writes:
I spent some time searching the documentation for an explanation of the "Access_contents_information" permission but didn't find anything. I think this is vital information for any Zope admin and should be easy to find. How can I set up permissions when I can't find out exactly what permissions I'm actually granting? While I understand your wish, it probably is not that easy. I expect, that there was not a precise design behind the security declarations. Instead, there were probably an initial set of permissions, "View", "Access contents information", ... with nothing more than the informal meaning expressed by the english words describing the permission (not too bad...). For me, this informal use has been sufficient so far.
When you really want to learn about all details, then you may use a tool to find all occurrences of "Access contents information" in the Zope sources (I work under Unix and would use "find" together with "fgrep"). As you are convinced, that this information is vital for Zope users, you may collect it and donate it as an appendix to the ZDG (Zope's developper guide).
When we all behave this way, the Zope communities strength will grow fast....
Dieter