RE: [Zope] Access Control vs Publishing Protoco
oops, I forgot to foward my last mail on this subject to the list. My response here to Dieter's response captures contains the main points though...
I think, the implementation would be easy. Management, however, would be more difficult, as there are no good defaults for the "URL Traversable" permission. It is not easy, to determine (e.g.) for a DTML method/document whether it is only used as a component (such as "standard_html_header") or is a full grown presentation method.
Um, I don't think I understand.
[ snip ]
Currently, Zope tries to have very few explicit, object specific permissions. The ideal is that permissions are specified high above in the hierarchy and acquired by lower objects. This is quite possible with the current scheme. Implementing an "URL accessible" permission would require much more tweaking of single object permissions.
There are other ways to solve your problem by organization (putting things that should not be seen somewhere else) that do not require an additional permission.
Now I understand... I would disagree, however: I think there is a sensible default value. The default would be that anonymous does not have 'traverable' permission, but the manager / owner does. The cases where an authenticated user is able to traverse some objects but not others would, as you point out, be rare, because you could instead manage these by organisation. You would still use organisation to avoid having to set too many additional permissions. However, this solution would solve the 'security' issue of the anonymous user being able to list objectIds in any folder TTW. It would also allow the developer more flexibilty in how they designed their application, which can only be a Good Thing? seb.
Hi,The following dtml couse error, <dtml-comment> <dtml-var "sendMail(from='hello@world')"> </dtml-comment> The workaround is to change "from" to other words. Iap, Singuan
On Thu, 12 Oct 2000, iap_y2fun.com wrote:
Hi,The following dtml couse error,
<dtml-comment> <dtml-var "sendMail(from='hello@world')"> </dtml-comment>
The workaround is to change "from" to other words.
"from" is a python reserved word. ololo@zeus.polsl.gliwice.pl /--------------------------------------\ | `long long long' is too long for GCC | \--------------------------------------/
Seb Bacon writes:
....
Currently, Zope tries to have very few explicit, object specific permissions. The ideal is that permissions are specified high above in the hierarchy and acquired by lower objects. This is quite possible with the current scheme. Implementing an "URL accessible" permission would require much more tweaking of single object permissions.
There are other ways to solve your problem by organization (putting things that should not be seen somewhere else) that do not require an additional permission.
Now I understand... I would disagree, however: I think there is a sensible default value. The default would be that anonymous does not have 'traverable' permission, but the manager / owner does.... The "traversable" permission would be an additional requirement to view any object. Its main purpose would be to distinguish between "use via Web" and "use in DTML only". "standard_html_*" would be usable in DTML but could not be viewed via the web. They would not give "traversable" permission to Anonymous. Many DTML objects, however, would need to give the "traversable" permission even to Anonymous in order to be useful.
Dieter
Oh dear, I fear that this is going round and round and round in circles a bit, and that no-one else is following it, but here goes anyway :>
The "traversable" permission would be an additional requirement to view any object. Its main purpose would be to distinguish between "use via Web" and "use in DTML only". "standard_html_*" would be usable in DTML but could not be viewed via the web. They would not give "traversable" permission to Anonymous. Many DTML objects, however, would need to give the "traversable" permission even to Anonymous in order to be useful.
OK, I think we're talking about the same thing now...but could you give me an example of any object that would need to be traversable by Anonymous? index_html, for example, doesn't need to be traversable (I still prefer 'listable'). Viewable TTW, yes, but that's all. seb.
Seb Bacon writes:
OK, I think we're talking about the same thing now...but could you give me an example of any object that would need to be traversable by Anonymous? index_html, for example, doesn't need to be traversable (I still prefer 'listable'). Viewable TTW, yes, but that's all. I do not agree with you: I should be able to list what I am able to view (in order to learn what I can view).
I think, more than 30 per cent of my objects are like "index_html". They are designed to be viewed by Anonymous. The others are not destined to be viewed but to be used as components in viewed objects (like "standard_html_*"). The current Zope security requires that Anonymous has view permissions for them, too. But this allows Anonymous to view them in isolation which almost surely will give strange results (exceptions, empty pages, etc.). My primary concern (and maybe Chris') is, how can we prevent these objects to be viewed by Anonymous. If we succeed, then Anonymous can do nothing at all with them and it is no longer necessary to list them (for him). Thus, a solution for this problem may also be a solution for the other problem. However, a "listable" permission would not solve the distinction between directly viewable via the web and only indirectly viewable. Dieter
participants (5)
-
Aleksander Salwa -
Chris Withers -
Dieter Maurer -
iap_y2fun.com -
Seb Bacon