[Zope] Newbie Security Query

Chris Withers chrisw@nipltd.com
Mon, 07 Feb 2000 16:37:09 +0000


> There's nothing *very* bad that can be executed without permission.
> "objectIds" is questionable.

Okay, now I'm getting nervous... what not-so-bad things can you do?!
(going to http://www.zope.org/text_content brought up a very disturbing
screen...)

> I don't know that there is any way to do so. I don't think the security
> machinery differentiates between things called from the web directly and
> called from DTML (though it is only through my observations that I say this,
> I haven't looked at that part of the code).

I wonder if anyone at DC could help out here? My wish-list would be to be able
to differentiate in a convenient manner between stuff publicly available and
stuff that isn't. To generalise this further, I'd love to be able to assign the
usability of a method or access to an object on a role basis, with special roles
including 'anonymous' for public access and 'system' for calls from other
objects. Kindof like putting public: and private: in a C++ or Java class, but
with finer control.

> Hmmm... I don't think I'd be brave enough to name something "manage" :)

Okay, this isn't a problem, because if you try and create one, you get told the
id is invalid because it is already in us :-)

Well, hope people can help,

Chris