[Zope-dev] Methods through the Web (security?)
Ty Sarna
tsarna@endicor.com
17 May 2000 20:06:00 GMT
In article <613145F79272D211914B0020AFF640195A719F@gandalf.digicool.com>,
Brian Lloyd <Brian@digicool.com> wrote:
> > How come you can browse things like the objectIds and objectValues
> > methods through the web? Surely this is exposing information
> > that people
> > shouldn't really know about?
>
> You're right - and stop calling me shirley. :) This is something of
Hmm, another ZAZ fan :-)
> a holdover from the bobo days - if you are a method and you have a
> docstring, you are accessible through the web (but still subject to
> the std security rules). objectIds and objectValues are a good
> example of things that really only want to be used from DTML and
> thus shouldn't have docstrings. I've changed this (and a few other
> iffy methods) for the next release.
Won't this break Amos' XML-RPC-based editor and similar hacks?
Can't you just turn off 'Access contents information' permission or
whatever it is on a folder if you don't want people to call
those things trough the web?