[Zope-dev] RE: objectIds accessiblilty & and a proposal
Brian Lloyd
brian@digicool.com
Mon, 18 Dec 2000 14:11:51 -0500
> > If you type in http://www.zope.org/Members/objectIds you get a list of
> > all Members. Although it is a useful feature.. ;) .. I can't really
> > see why objectIds should be available for everyone, at any given time.
> >
> > Is this a bug or a feature?
> I was able to do this as anonymous on another Zope site as well. It
> basically lets you do a directory listing of any folderish object. Using
> objectValues, you can learn the type of objects that live there too.
>
> This lets you learn about all objects, even if you do not have view
> rights to the object listed. However, you do need view rights to the
> folder you are calling objectIds for.
>
> This does seem to me like a way for clandestine users to learn more
> information about your site than they need to know. Perhaps this
> "feature" needs to be locked down.
This is something that has come up before. I propose
that the real problem here is that 'objectIds' should
not be web-traversable.
I have, in fact, proposed this before. It caused a bit
of grumbling among people using xml-rpc, who were using
objectIds remotely, so we never came to closure on it.
This comes up often enough that I'm inclined to do
something about it for 2.3. I propose that objectIds
(and objectValues) will not be directly accessible
via the Web in 2.3. For xml-rpc applications, it should
be a simple enough task to create a Python Script (or
even a DTML Method) that *is* Web accessible to relay
that information if it is needed.
Thoughts?
Brian Lloyd brian@digicool.com
Software Engineer 540.371.6909
Digital Creations http://www.digicool.com