[Zope] ZClass' Method permissions

Oleg Broytmann Oleg Broytmann <phd@phd.fep.ru>
Wed, 4 Apr 2001 13:01:05 +0400 (MSD)


Hello!

   Can anyone explain the mechanism under "Define Permissions" tab on
ZClasses?
   I do not understand the screen. Why can I set "Delete Objects" permisson
to "Add Site Roots"? Why do I need it?

   What's worse, I don't understand this explanation: "For ZClass methods,
only permissions that are defined for the ZClass are permitted. "

   I want to protect a DTML Method in a ZClass so that it won't be
accessible by Anonimous.
   Example: I want to protect importRSS method of RSS Channel product.
Currently, anyone who discovered the name of the object can call importRSS
with any URL, thus cracking my site. And it is easy to discover these
objects as any page on the site has view_source link.

Oleg.
----
     Oleg Broytmann     http://www.zope.org/Members/phd/     phd@phd.pp.ru
           Programmers don't die, they just GOSUB without RETURN.