[Zope] Restricting URL access to objects that are not complete web pages
Stephen Simmons
stephen.simmons@healtharena.net
Thu, 21 Sep 2000 01:27:29 +0200
After reading the Zope lists for a couple of months to struggle up the Zope
learning curve, it's time for my first question.
I want to serve web pages build up from a database of document components.
Zope's object-based subsystems should be completely hidden so that the only
objects accessible over the web interface are complete, well-formed HTML web
pages.
For the sake of simplicity, suppose we have three types of components, web
pages, articles and sections. These components obey the following 4 rules:
1. Web pages operate just like a DTML document, where the articles and
sections from which it is built are specified via dtml-var. The page
definition starts with standard_html_header and _footer (or similar) to
create nice HTML output.
2. Articles are primarily meant for inclusion within a web page so that
they are displayed in a browser by specifying the URL of their containing
web page. However if an article's URL is specified, the article
automatically gets wrapped in an HTML template.
3. Sections are only used as building blocks for other documents so it must
not be possible to retrieve a section via a URL.
4. Similarly, standard_html_header and other methods/objects not meant to
be a standalone web page should not be accessible via a URL.
My thoughts were to use an html_header that tracks how deeply components are
nested so that inner components turn off the page wrapper. This achieves 1
and 2. This also achieves 3 if sections raise an exception if their page
wrapper is not turned off.
But 4 was where I got stuck. I want to use the full magic of acquisition
when assembling web pages from components within a page, but prevent
acquisition from returning other objects via URLs.
So mypage in http://myserver:8080/myarea/mypage is able to find
standard_html_header by acquisition but
http://myserver:8080/myarea/mypage/standard_html_header gives a not-found
error.
Any suggestions? Something involving permissions/roles? Hacking
before_bobo_traverse()? Something simpler?
Thanks for any assistance!
Stephen
_______________________________
Stephen Simmons
HealthArena B.V.
phone +31 20 486 0555
stephen.simmons@healtharena.net