----- Original Message ----- From: "Chris Withers" <chrisw@nipltd.com> To: "Zope Mailing List" <zope@zope.org> Sent: Monday, February 07, 2000 10:30 AM Subject: [Zope] Newbie Security Query
If you go to http://www.zope.org/title_or_id you get the result of the title_or_id method. The same is true of the manage method and the REQUEST method. Me being paranoid, this makes me wonder whether there are any 'bad' methods that could be executed in this way, without any security authorization?
There's nothing *very* bad that can be executed without permission. "objectIds" is questionable.
Again, being paranoid, how would you got about turning off the title_or_id or REQUEST methods, or at least requiring authorisation to use them? (While of course leaving it possible for DTML methods and the like within the site to call them)
I don't know that there is any way to do so. I don't think the security machinery differentiates between things called from the web directly and called from DTML (though it is only through my observations that I say this, I haven't looked at that part of the code).
Finally, if you had a DTML document, method or image, etc, called title_or_id or manage, how would you go about getting the one you want, either the document or the result of calling the method?
Hmmm... I don't think I'd be brave enough to name something "manage" :) Kevin