[Zope-dev] Methods through the Web (security?)

[Martijn Faassen]

Tres Seaver wrote:
> I don't get the issue here, I guess;  either anonymous users can view
> objectIds (through the web, through XML-RPC, whatever), or they can't
> (because you don't want them to have the information that a given
> object is there, I guess?)

Perhaps you just don't want to expose internal implementation details
to them. Users have no business viewing 'standard_html_header' directly, for
instance.

> If they can't, then _any_ DTML method
> which calls objectIds() should be required to have non-anonymous
> permissions, either through the AUTHENTICATED_USER or through proxy
> roles.  This seems to be working as designed in the current
> implementation.  Turning off objectIds() by default is like running
> an anonymous FTP server but disallowing the "dir" command:  it reduces
> the utility of the server to such an extent that you might as well
> not bother. :)

I think this picture changes if you make the distinction between viewing as an
anonymous user, viewing as the manager, viewing through XML-RPC,
etc. 

I think the idea is that a random person on the web should only 
be able to view that which that user is explicitly allowed to view.
Preferably the user should not have the capability to access things
directly that are actually only DTML/Python methods used to *produce*
the view. If you could say to a method that it is like that, you can
make a distinction that can currently not be made. i.e. a 'viewable
through URL' permission (default set to off).

Regards,

Martijn