[Zope] Restricting URL access to objects that are not complete web pages

[Steve Alexander]

Stephen Simmons wrote:
> 
> Steve,
> 
> Ideally the publishability of an object would be an internal property of
> that object, not something that is set externally via rules in SiteAccess.
> It's been a little while since I last looked at SiteAccess, but wouldn't
> using SiteAccess force you to store publishable objects in one part of the
> database hierarchy and non-publishables in another? If you wanted
> publishables and non-publishables all mixed up in the same folders,
> SiteAccess's rules might get a bit complicated.

Yes, this is not a neat solution, unless you have already designed your
site to use siteaccess in this way.

> Another approach could be to:
> - create a folder that does a RESPONSE.setStatus(404) as the URL traversal
> machinery passes it. This sets up the default condition of 'NotFound' error
> for the URL
> - at the end of the URL, if the final object is publishable or the final
> item is a publishable method called on a publishable object, do a
> RESPONSE.setStatus(200) to say 'OK'.

Even if you don't reset the status to 200 and it remains as 404, the
page will still get sent to the browser. You don't want to mess with the
traversal machinery on this, as you want traversal to continue to work
as it does now.

I think your intent is to block direct requests from a web-browser for
particular objects. The easiest way of doing this is to check
REQUEST.steps[-1] to see if it equals the current object's id.

If you want this to be fairly transparent, perhaps based on a particular
permission or property, then I think you'll need to patch part of Zope,
probably HTTPRequest.py.
 
--
Steve Alexander
Software Engineer
Cat-Box limited
http://www.cat-box.net