[Zope] hiding includes from webacces

Duncan Booth duncan@rcp.co.uk
Thu, 12 Apr 2001 15:30:11 +0100


Chris Withers wrote:
> Nils Decker wrote:
> > 
> > Is there a way to deny direct access to Objects, but allow them to
> > be included into other documents? I have tried to setup a role
> > "include" and set my index_html to proxy to this rule, but it did
> > not work. 
> 
> This is something I've been looking to do since I first started usign
> Zope abotu a year and a half ago :-(
> 
> Anyone got any ideas, I'd love to hear them...

There is a rather kludgy solution if you host Zope behind another 
web server such as Apache, which is to apply a naming convention 
to web callable methods and non-web methods. For example, if 
you arrange for all URLs to be lowercased (not the query string), 
and include at least one capital letter in any non-web method, but 
none in web accessible methods.
This would only work of course if the administrators can bypass the 
web server and go straight to Zope.

A slightly cleaner way still based on rewrites would be to separate 
the methods into different folders and remove the name of the folder 
with the non-web accessible methods from any URL.

-- 
Duncan Booth                                             duncan@rcp.co.uk