[Zope-dev] Methods through the Web (security?)

Martijn Faassen faassen@vet.uu.nl
Thu, 18 May 2000 17:05:18 +0200


Chris Withers wrote:
> The solution I proposed before is simple (maybe not to implement ;-) and
> I think solves all the problems:
> 
> Split the current 'view' permission into two new permissions:
> 1. View - allow users to directly access an object through
> HTTP/FTP/XML-RPC/etc
> 2. Execute - allow non-direct execution of a method by a user, for
> example by them viewing another method/object which they have the 'view'
> permission for.

[snip]

> Comments? (hopefully I'll get some this time... ;-)

Various things. What you'd need is turn off 'view' permission by
default for just about *everything* except possibly DTML Documents, 
otherwise it's just too easy to set up a site that exposes too
much. Exposure to URLs should be turned off by default.

Everything would still have 'execute' permission, so I don't think
that should be a permission at all, as everything really has it and
nothing can do without it anyway.

Anyway, see my other posts. I think you would need to do something like
this:

'view' and 'access' merge into a single thing called 'access'.

'access' then gets split into 'access through URL', 'access through
FTP', 'access through XML-RPC'. By default, 'access through URL' is 
turned *off* for anonymous surfers for all objects. You need to
turn this on explicitly. Note that you quickly overestimate the
amount of cases this needs to be done. In fact, I think in the site
I have in production use here, there's just one or two index_html's that
need to be given 'access through URL' permission. :)

The tricky bit is if you want methods on objects that *are* accessible
through URLs. There doesn't seem to be a good way to do that now, but
the question is if you really ever want that in a site. You usually 
only call such methods from DTML.

Regards,

Martijn