[Zope-dev] objectIds -- accesible for everyone -- why?
Casey Duncan
cduncan@kaivo.com
Mon, 18 Dec 2000 11:25:38 -0700
morten@esol.no wrote:
>
> If you type in http://www.zope.org/Members/objectIds you get a list of
> all Members. Although it is a useful feature.. ;) .. I can't really
> see why objectIds should be available for everyone, at any given time.
>
> Is this a bug or a feature?
>
> -Morten
>
I was able to do this as anonymous on another Zope site as well. It
basically lets you do a directory listing of any folderish object. Using
objectValues, you can learn the type of objects that live there too.
This lets you learn about all objects, even if you do not have view
rights to the object listed. However, you do need view rights to the
folder you are calling objectIds for.
This does seem to me like a way for clandestine users to learn more
information about your site than they need to know. Perhaps this
"feature" needs to be locked down.
--
| Casey Duncan
| Kaivo, Inc.
| cduncan@kaivo.com
`------------------>