[Zope-dev] Methods through the Web (security?)

Martijn Faassen faassen@vet.uu.nl
Thu, 18 May 2000 16:48:00 +0200


Brian Lloyd wrote:
> I don't have a good answer for you, though I tend to agree with 
> you that some things just don't want to be accessed outside of 
> some larger context. I'd like to hear some different viewpoints 
> on how people think something like this should work...

What the difference seems to be is exposure to surfer through URL.
So, you could equip all items in the object tree with a flag 
'expose', that is off by default. When the user should be able
to view the thing through an URL (such as index_html), you turn it on. Would
this have any unforseen problems?

You could even have some user interface help here. Imagine I made an
index_html but forgot to expose it. Now, still logged in as manager,
I try to view it. Zope detects I'm trying to view something through
an URL that I'm not supposed to see, so asks something like "hey,
you tried to view this but it's not set to be exposed, expose this?". If
the manager chooses 'yes', the expose flag is set to true.

Hm, I suppose the problem here would arise with methods that directly
return HTML output through an URL. This would seem to be fairly rare,
though, and you can always wrap it up in some object that does have
the expose flag.

Regards,

Martijn