[Zope-dev] Methods through the Web (security?)

Jason Spisak 444@hiretechs.com
Wed, 17 May 2000 20:39:37 GMT


Brian:

> > While I'm at it, is there any way to make DTML methods accessible to
> > objects (such as other DTML methods) but not through URLs 
> > other than by
> > a tortuous series of proxy roles?
> > I've expressed views about an 'execute' permission in the 
> > past but these
> > have fallen on deaf ears.
> > 
> > For example:
> > http://www.codecatalog.com/standard_html_footer
> > 
> > This is messy and there's no reason why it needs to be 
> > exposed through a
> > URL.
> 
> I don't have a good answer for you, though I tend to agree with 
> you that some things just don't want to be accessed outside of 
> some larger context. I'd like to hear some different viewpoints 
> on how people think something like this should work...
> 

I sounds like there's a want for a distinction of things that can and
cannot be published(Viewed by URL alone).  Do <dtml-var mything> and
/mything use different machinery to render the calls?  Is there a
difference in Zope between 'publishing' and just 'rendering' or calling? If
there is (because I haven't looked at any code, I'm just theorizing) they
you'd want a permission that allowed processing by either/or both sets
rendering and publishing methods.

Way-over-my-head-bowing-out-as-I-finish-the-thoughtly yours,

Jason Spisak
CIO
HireTechs.com
6151 West Century Boulevard
Suite 900
Los Angeles, CA 90045
P. 310.665.3444
F. 310.665.3544

Under US Code Title 47, Sec.227(b)(1)(C), Sec.227(a)(2)(B) This email
address may not be added to any commercial mail list with out my
permission.  Violation of my privacy with advertising or SPAM will
result in a suit for a MINIMUM of $500 damages/incident, $1500 for
repeats.