[Zope3-dev] Re: xmlrpc:view (and jsonrpc:view)

Jim Washington jwashin at vt.edu
Mon Jan 30 12:17:25 EST 2006


Paul Winkler wrote:
> On Sun, Jan 29, 2006 at 12:19:24PM +0100, Balazs Ree wrote:
>   
>> So this is where I see the importance of this: allow access to a
>> method/template via RPC only, and disallow the method to be called
>> directly from the browser.
>>     
>
> I'm curious.
> How do you distinguish between a jsonrpc request and a direct
> browser request?
>
>   
There are a few attributes that distinguish a jsonrpc request in Zope3 
from a direct browser request.

First, the request must be a POST with a content-type of 
"application/json-rpc".  That is the listening handshake registered by 
jsonserver so that the request is handled as a JSONRPCRequest.

The URL for object traversal is the URL of the context object.  The 
method to be performed is identified in the body of the request, and has 
a specific syntax for method and parameters.  The methods on the server 
side are provided in a view class for the context object, and are 
protected by permissions registered in zcml.  When jsonserver gets the 
request, the appropriate method of the view class is invoked in the 
context of the context object, and the results are returned in jsonrpc 
format.

The methods of the view class are not very different from methods of any 
other browser view class.  In a page template, they would likely be 
accessible as "view/method_name".  But they are also not accessible by 
direct URL traversal, unless you do extra work to allow that.

In Zope2, with ttw object methods, the distinction between a jsonrpc 
request and a direct browser request can be a bit blurred.  Such a 
method would have a URL and would be ordinarily traversable in a direct 
browser request.

-Jim Washington


More information about the Zope3-dev mailing list