[Zope] Access Control vs Publishing Protocol

Michael Bernstein webmaven@lvcm.com
Mon, 09 Oct 2000 07:50:22 -0700


Chris Withers wrote:
> 
> Toby Dickenson wrote:
> > Those people were concerned that too many things were exposed via
> > ZPublisher also.... My interpretation was that the issue is one of
> > access control, not publishing protocol.
> 
> I think the issue is that you can't limit the visibility of objects
> right now.
> You can limit their access easily enough (or more tortuously if you
> don't want people to access the bits of a page on their own
> (standard_*,etc) via a complex web of proxy roles and required
> permissions) but there doesn't appear to be any easy way to say "right,
> I want this object exposed for reading and writing via FTP and reading
> via HTTP, while this one shouldn't be URL traversable but I'd like to
> edit it via WebDAV and this method is for use via XML-RPC but really
> shouldn't be visible anywhere else.)

It seems like this can be handled rather well by simply
adding a 'XML-RPC access', a 'SOAP access' and a 'WebDAV
access' set of permissions. we already have a 'FTP access'
permission  which works fine. Thse could then be matched
with appropriate 'view' permissions as well.

On a slightly different note, I think that the permissions
list should be viewable in two more ways: A view where
permissions are grouped into 'subjects', (for example all
the ones I just mentioned should go into a 'access protocol'
subject and possibly a 'view protocol' subject) and another
view where permissions are grouped according to the roles
that have them. These different views should all be on the
same tab, with hyperlinks to switch between them (sort of
like the 'local roles' screen is linked from 'security').

Michael Bernstein.