[Zope] what security should these methods have?
Dieter Maurer
dieter@handshake.de
Sat, 22 Sep 2001 00:23:05 +0200 (CEST)
kosh@aesaeion.com writes:
> __call__, __bobo_traverse__
>
> I have been going through my products trying to lock things down more
> using the new security model and I have been making all the security
> explicit. Mostly because it makes it easy to change and easy to see what
> the permissions are. However what kinds of security should those two items
> have? private? public? protected? if protected what permission should they
> be protected by? What is a good place to find this information overall
> since it doesn't seem to be in the zope developers guide which I kind of
> expected some of this kind of info in.
Currently, there is no need to protect "__bobo_traverse__".
This method can only be called from an unrestricted context...
With respect to "__call__": the permission that protects "__call__"
should depend on what "__call__" usually does:
E.g., for "DTMLMethod.__call__", the permission is "View",
but for the "__call__" of Z SQL methods, it is
"Use database methods"....
Dieter