[Zope] Newbie Security Query

Chris Withers chrisw@nipltd.com
Mon, 07 Feb 2000 15:30:01 +0000


Hi,

I've just been reading an interesting article on XML-RPC which lead me to try
something and ask some questions...

If you go to http://www.zope.org/title_or_id you get the result of the
title_or_id method. The same is true of the manage method and the REQUEST
method. Me being paranoid, this makes me wonder whether there are any 'bad'
methods that could be executed in this way, without any security authorization?

Again, being paranoid, how would you got about turning off the title_or_id or
REQUEST methods, or at least requiring authorisation to use them? (While of
course leaving it possible for DTML methods and the like within the site to call
them)

Finally, if you had a DTML document, method or image, etc, called title_or_id or
manage, how would you go about getting the one you want, either the document or
the result of calling the method?

cheers for any help,

confusedly,

Chris