Chris Withers wrote:

Nils Decker wrote:

...

Is there a way to deny direct access to Objects, but allow them to be included into other documents? I have tried to setup a role "include" and set my index_html to proxy to this rule, but it did not work.

This is something I've been looking to do since I first started usign Zope abotu a year and a half ago :-(

Anyone got any ideas, I'd love to hear them...

There is a rather kludgy solution if you host Zope behind another web server such as Apache, which is to apply a naming convention to web callable methods and non-web methods. For example, if you arrange for all URLs to be lowercased (not the query string), and include at least one capital letter in any non-web method, but none in web accessible methods. This would only work of course if the administrators can bypass the web server and go straight to Zope. A slightly cleaner way still based on rewrites would be to separate the methods into different folders and remove the name of the folder with the non-web accessible methods from any URL. -- Duncan Booth duncan@rcp.co.uk