[Zope-dev] Methods through the Web (security?)

Steve Alexander s.alexander@lancaster.ac.uk
Thu, 18 May 2000 16:51:47 +0100


Martijn Faassen wrote:
> 
> Brian Lloyd wrote:
> > Yes you could, except that you would also make them inaccessible
> > from DTML (or from anywhere else) for the same class of users.
> >
> > Is it really acceptable that in order to use <dtml-in objectIds>
> > on a page that needs to be accessible to anonymous users that I
> > must grant 'Access contents information' to anonymous users and
> > thus give them the ability to inspect my objects if they want to?
> 
> So you have something like:
> 
> 'Access at all' (this is 'Access Contents Information')
> 
> 'Access through URL' (the 'expose' flag I talked about in previous posts)
> 
> 'Access through FTP'
> 
> 'Access through XML-RPC'
> 
> etc.

This is an interesting idea --

The Zope server is an Object database that exposes objects and
attributes via various protocol modules.

I can see a future where you'd want to be able to plug in arbitrary
protocol modules -- and perhaps more than one instance of each type of
protocol (for example, http on ports 80 and 8080).

It would make sense to me for each protocol to have its own set of
"expose flags" or even "expose rules" for each addressable
object/attribute.

The user interface to manage the objects could collect these all into
one place, so as the manager of an object, you can decide what is
allowed to be seen via which protocols.

--
Steve Alexander
Software Engineer
Cat-Box limited