Chris Withers wrote:
Toby Dickenson wrote:
Those people were concerned that too many things were exposed via ZPublisher also.... My interpretation was that the issue is one of access control, not publishing protocol.
I think the issue is that you can't limit the visibility of objects right now. You can limit their access easily enough (or more tortuously if you don't want people to access the bits of a page on their own (standard_*,etc) via a complex web of proxy roles and required permissions) but there doesn't appear to be any easy way to say "right, I want this object exposed for reading and writing via FTP and reading via HTTP, while this one shouldn't be URL traversable but I'd like to edit it via WebDAV and this method is for use via XML-RPC but really shouldn't be visible anywhere else.)
It seems like this can be handled rather well by simply adding a 'XML-RPC access', a 'SOAP access' and a 'WebDAV access' set of permissions. we already have a 'FTP access' permission which works fine. Thse could then be matched with appropriate 'view' permissions as well. On a slightly different note, I think that the permissions list should be viewable in two more ways: A view where permissions are grouped into 'subjects', (for example all the ones I just mentioned should go into a 'access protocol' subject and possibly a 'view protocol' subject) and another view where permissions are grouped according to the roles that have them. These different views should all be on the same tab, with hyperlinks to switch between them (sort of like the 'local roles' screen is linked from 'security'). Michael Bernstein.