[Zope3-dev] Re: URLs & Paths

[Shane Hathaway]

Tim Hoffman wrote:

> I gotta say say the .../contact/view;acquire business really makes me
> worried. 
> 
> I know I must be missing heaps here, but doesn't this mean
> that we are making the behaviour of acquisition visible and therefore
> invokeable from outside the system, (ie just by the inclusion or removal
> of an argument in a URL.) Could this not lend itself to exploits.

Not any worse than today.  Today you simply don't have to specify 
";acquire"--yet things are still acquired, which can indeed lead to 
exploits.  Fortunately the security machinery isn't fooled this way.

Shane