[Zope-dev] Methods through the Web (security?)

Toby Dickenson tdickenson@geminidataloggers.com
Fri, 19 May 2000 07:18:56 +0100


On Thu, 18 May 2000 16:55:37 +0200, Martijn Faassen
<faassen@vet.uu.nl> wrote:

>Brian Lloyd wrote:
>> Yes you could, except that you would also make them inaccessible
>> from DTML (or from anywhere else) for the same class of users. 
>> 
>> Is it really acceptable that in order to use <dtml-in objectIds>
>> on a page that needs to be accessible to anonymous users that I 
>> must grant 'Access contents information' to anonymous users and
>> thus give them the ability to inspect my objects if they want to? 
>
>So you have something like:
>
>'Access at all' (this is 'Access Contents Information')
>
>'Access through URL' (the 'expose' flag I talked about in previous posts)
>
>'Access through FTP'
>
>'Access through XML-RPC'

It sounds like what you really want is the ability to provide a
different Anonymous User objects, based on how the user is accessing
the server. You could have separate "Anonymous RPC User", "Anonymous
FTP User" etc, and use the existing mechanism to give different
permissions to each user.



Toby Dickenson
tdickenson@geminidataloggers.com