[Zope-dev] Methods through the Web (security?)

Chris Withers chrisw@nipltd.com
Thu, 18 May 2000 10:14:28 +0100


Brian Lloyd wrote:

[snip]

> > Won't this break Amos' XML-RPC-based editor and similar hacks?
> 
> Waaa.... probably. Ok, so I've _provisionally_ changed this in
> the current CVS. I feel a to-the-death-cage-match coming on.

Horse before the cart?

Maybe the XML-RPC editor needs fixing 'cos something got fixed in Zope?!

> > Can't you just turn off 'Access contents information' permission or
> > whatever it is on a folder if you don't want people to call
> > those things trough the web?
> 
> Yes you could, except that you would also make them inaccessible
> from DTML (or from anywhere else) for the same class of users.

...as I found out when I first ran into this problem...

...and as I said in the first post you can get round this using a
tortuous set of proxy roles (dunno how that'll get screwed up in 2.2)
but it's not a 'nice' solution to what should be a fairly simple
problem.

> Is it really acceptable that in order to use <dtml-in objectIds>
> on a page that needs to be accessible to anonymous users that I
> must grant 'Access contents information' to anonymous users and
> thus give them the ability to inspect my objects if they want to?

No!!! ;-)

The solution I proposed before is simple (maybe not to implement ;-) and
I think solves all the problems:

Split the current 'view' permission into two new permissions:
1. View - allow users to directly access an object through
HTTP/FTP/XML-RPC/etc
2. Execute - allow non-direct execution of a method by a user, for
example by them viewing another method/object which they have the 'view'
permission for.

This effectively provides the same functionality as adding or removing a
docstring from a method in a python class, and could be used to replace
it, as it's not really documented anywhere.

I can't really see a use for he 'Access contents information' permission
other than an additional control over and above these two new ones.

As simple example:
-index_html (role X has view permission)
<dtml-var standard_html_header>
Some Text
</BODY></HTML>

-standard_html_header (role X has execute but not view permission)
<HTML><BODY>

So, a user with role X can view index_html and have it render properly
(although it wouldn't if he didn't have the execute permission on
standard_html_header) but if the user tried to view standard_html_header
on its own, he would get an unauthorised error...

Comments? (hopefully I'll get some this time... ;-)

cheers,

Chris

PS: The XML-RPC stuff could just be given the nwe view permission for
objectIds, if it REALLY needs it... although this would mean the
docstrings thing would have to eb replaced, which isn't necessarily a
bad thing ;-)