[Zope-dev] RE: objectIds accessiblilty & and a proposal

[Brian Lloyd]

> > If you type in http://www.zope.org/Members/objectIds you get a list of
> > all Members.  Although it is a useful feature.. ;) .. I can't really
> > see why objectIds should be available for everyone, at any given time.
> > 
> > Is this a bug or a feature?

> I was able to do this as anonymous on another Zope site as well. It
> basically lets you do a directory listing of any folderish object. Using
> objectValues, you can learn the type of objects that live there too.
> 
> This lets you learn about all objects, even if you do not have view
> rights to the object listed. However, you do need view rights to the
> folder you are calling objectIds for.
> 
> This does seem to me like a way for clandestine users to learn more
> information about your site than they need to know. Perhaps this
> "feature" needs to be locked down.

This is something that has come up before. I propose 
that the real problem here is that 'objectIds' should 
not be web-traversable. 

I have, in fact, proposed this before. It caused a bit 
of grumbling among people using xml-rpc, who were using
objectIds remotely, so we never came to closure on it.

This comes up often enough that I'm inclined to do 
something about it for 2.3. I propose that objectIds
(and objectValues) will not be directly accessible 
via the Web in 2.3. For xml-rpc applications, it should
be a simple enough task to create a Python Script (or 
even a DTML Method) that *is* Web accessible to relay 
that information if it is needed.

Thoughts?

Brian Lloyd        brian@digicool.com
Software Engineer  540.371.6909              
Digital Creations  http://www.digicool.com