[Zope-dev] Methods through the Web (security?)
Chris Withers
chrisw@nipltd.com
Wed, 17 May 2000 13:58:37 +0100
Hi,
With all the talk of security and Zope 2.2 I thought I'd throw this one
into the post again:
How come you can browse things like the objectIds and objectValues
methods through the web? Surely this is exposing information that people
shouldn't really know about?
For example, check out:
http://www.zope.org/objectIds
While I'm at it, is there any way to make DTML methods accessible to
objects (such as other DTML methods) but not through URLs other than by
a tortuous series of proxy roles?
I've expressed views about an 'execute' permission in the past but these
have fallen on deaf ears.
For example:
http://www.codecatalog.com/standard_html_footer
This is messy and there's no reason why it needs to be exposed through a
URL.
cheers,
Chris