[Zope-dev] RE: objectIds accessiblilty & and a proposal

[Toby Dickenson]

On Mon, 18 Dec 2000 14:11:51 -0500, "Brian Lloyd" <brian@digicool.com>
wrote:

>This is something that has come up before. I propose 
>that the real problem here is that 'objectIds' should 
>not be web-traversable. 
>
>I have, in fact, proposed this before. It caused a bit 
>of grumbling among people using xml-rpc, who were using
>objectIds remotely, so we never came to closure on it.

Please No.

Zope security is complex enough without having to worry about
different security settings depending on how a method is accessed.
(And we should have a lower tolerance for complexity when it applies
to security)

If a user has permission to access a method then he should be able to
access it any way (xmlrpc, ZPublisher, DTML, PythonMethods)

Conversely, if a user is given an "Access Denied" message using one
means of access (say, using ZPublisher) then he *must* also be denied
using every other one. Security testing is much harder without this
property.



If anyone is seriously worried about this a a problem then can already
deny Anonymous users the 'Access contents information' permission, and
grant a proxy role to methods that generate indexes. (Indeed, this may
make sense as the default configuration)



Toby Dickenson
tdickenson@geminidataloggers.com