[Zope-dev] Methods through the Web (security?)

Duncan Booth duncan@rcp.co.uk
Wed, 17 May 2000 17:49:03 +0000


> While I'm at it, is there any way to make DTML methods accessible to
> objects (such as other DTML methods) but not through URLs other than by a
> tortuous series of proxy roles? I've expressed views about an 'execute'
> permission in the past but these have fallen on deaf ears.
> 
You could probably do something useful using siteaccess if you 
strictly enforced a naming convention across your site. I have 
wondered about lower casing all incoming URLs so as to make 
them effectively case independant and this would have a side effect 
of making all mixed/upper case objects inaccessble.

Or you might have a convention that everything web callable had an 
extension and prevent access to any methods without a dot in the 
id.

Of course siteaccess can be bypassed, but it should be possible 
to disable this.

-- 
Duncan Booth                                             duncan@dales.rmplc.co.uk
int month(char *p){return(124864/((p[0]+p[1]-p[2]&0x1f)+1)%12)["\5\x8\3"
"\6\7\xb\1\x9\xa\2\0\4"];} // Who said my code was obscure?
http://dales.rmplc.co.uk/Duncan