[Zope-dev] RE: objectIds accessiblilty & and a proposal

Dieter Maurer dieter@handshake.de
Wed, 20 Dec 2000 22:52:05 +0100 (CET)


Toby Dickenson writes:
 > > ... protocol specific access rights ...
 > Please No.
 > 
 > Zope security is complex enough without having to worry about
 > different security settings depending on how a method is accessed.
 > (And we should have a lower tolerance for complexity when it applies
 > to security)
 > 
 > If a user has permission to access a method then he should be able to
 > access it any way (xmlrpc, ZPublisher, DTML, PythonMethods)
I agree with you mostly.

   But it might be a significant difference, whether
   you access via HTTP or HTTPS or even a protocol that
   provides trusted authentication.

Furthermore, I would not bring DTML and web access on the same
level:

   There are objects, that should be usable by Anonymous
   inside DTML but should not be viewable over the
   web (as they will only confuse).
   All page components (such as "standard_html_header/footer")
   fall into this category.


Dieter