[Zope-dev] RE: objectIds accessiblilty & and a proposal
Toby Dickenson
tdickenson@geminidataloggers.com
Wed, 20 Dec 2000 09:43:14 +0000
On Mon, 18 Dec 2000 14:11:51 -0500, "Brian Lloyd" <brian@digicool.com>
wrote:
>This is something that has come up before. I propose
>that the real problem here is that 'objectIds' should
>not be web-traversable.
>
>I have, in fact, proposed this before. It caused a bit
>of grumbling among people using xml-rpc, who were using
>objectIds remotely, so we never came to closure on it.
Please No.
Zope security is complex enough without having to worry about
different security settings depending on how a method is accessed.
(And we should have a lower tolerance for complexity when it applies
to security)
If a user has permission to access a method then he should be able to
access it any way (xmlrpc, ZPublisher, DTML, PythonMethods)
Conversely, if a user is given an "Access Denied" message using one
means of access (say, using ZPublisher) then he *must* also be denied
using every other one. Security testing is much harder without this
property.
If anyone is seriously worried about this a a problem then can already
deny Anonymous users the 'Access contents information' permission, and
grant a proxy role to methods that generate indexes. (Indeed, this may
make sense as the default configuration)
Toby Dickenson
tdickenson@geminidataloggers.com