Toby Dickenson wrote:
Those people were concerned that too many things were exposed via ZPublisher also.... My interpretation was that the issue is one of access control, not publishing protocol.
I think the issue is that you can't limit the visibility of objects right now. You can limit their access easily enough (or more tortuously if you don't want people to access the bits of a page on their own (standard_*,etc) via a complex web of proxy roles and required permissions) but there doesn't appear to be any easy way to say "right, I want this object exposed for reading and writing via FTP and reading via HTTP, while this one shouldn't be URL traversable but I'd like to edit it via WebDAV and this method is for use via XML-RPC but really shouldn't be visible anywhere else.) You can hack some of it with clever SiteAccess usage but it is a hard problem. Ideally, you'd also want anything that deals with the above to be related to user roles as well. This is because the thing which makes the problem hard is that something like standard_html_header wants to be editable by Managers TTW, which means it also has to be visible TTW. However, it's probably not something you want exposed to anonymous users, especially as a TTW enitity in its own right. objectIds is my other favourite example ;-) What do other peiople think? What would be the overhead of introducing the above type of publishign restrictions? cheers, Chris