[Zope-dev] Methods through the Web (security?)
Brian Lloyd
Brian@digicool.com
Wed, 17 May 2000 15:14:43 -0400
> How come you can browse things like the objectIds and objectValues
> methods through the web? Surely this is exposing information
> that people
> shouldn't really know about?
You're right - and stop calling me shirley. :) This is something of
a holdover from the bobo days - if you are a method and you have a
docstring, you are accessible through the web (but still subject to
the std security rules). objectIds and objectValues are a good
example of things that really only want to be used from DTML and
thus shouldn't have docstrings. I've changed this (and a few other
iffy methods) for the next release.
> While I'm at it, is there any way to make DTML methods accessible to
> objects (such as other DTML methods) but not through URLs
> other than by
> a tortuous series of proxy roles?
> I've expressed views about an 'execute' permission in the
> past but these
> have fallen on deaf ears.
>
> For example:
> http://www.codecatalog.com/standard_html_footer
>
> This is messy and there's no reason why it needs to be
> exposed through a
> URL.
I don't have a good answer for you, though I tend to agree with
you that some things just don't want to be accessed outside of
some larger context. I'd like to hear some different viewpoints
on how people think something like this should work...
Brian Lloyd brian@digicool.com
Software Engineer 540.371.6909
Digital Creations http://www.digicool.com