[Zope-dev] Methods through the Web (security?)

Chris Withers chrisw@nipltd.com
Thu, 18 May 2000 17:06:59 +0100


Martijn Faassen wrote:
> Various things. What you'd need is turn off 'view' permission by
> default for just about *everything* except possibly DTML Documents,
> otherwise it's just too easy to set up a site that exposes too
> much. Exposure to URLs should be turned off by default.

Well, this is why doing it with permissions is great because you can set
it to your preference in the root folder and aquire it from there
onwards...

> Everything would still have 'execute' permission, so I don't think
> that should be a permission at all, as everything really has it and
> nothing can do without it anyway.

Yes, but you may want to restrict WHO can execute something. Perhaps you
have a method that only managers should be able to execute, and no-one
should be able to 'view'.

> 'view' and 'access' merge into a single thing called 'access'.

I still don't really see any point in the 'access' permission and, in
fact I've just been bitten badly by it (see my RecentChanges post to the
Zope list...)

> the question is if you really ever want that in a site. You usually
> only call such methods from DTML.

Not so, try out ZWiki's ;-)

I notice there is an FTP permission already. Maybe there should be:
- an execute permission
- a 'view' permission for each 'server': HTTP, FTP, XML-RPC...

cheers,

Chris