Dieter Maurer wrote:
> My primary concern (and maybe Chris') is, how can we prevent
> these objects to be viewed by Anonymous.
Yup, that's exactly my point...
cheers,
Chris
___
Zope maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinf
Dieter Maurer wrote:
> Management, however, would be more difficult, as there are no
> good defaults for the "URL Traversable" permission.
> It is not easy, to determine (e.g.) for a DTML method/document
> whether it is only used as a component (such as
> "standard_html_header") or is a full grown
Seb Bacon wrote:
> edit a document through webDAV but *not* TTW. In my mind, you're either
> authenticated to do a task, or you're not. It doesn't matter *how* you do
> it. That's why 'listable' or something like it would be a better name for
> the permission than 'URL Traversable', IMHO (altho
Seb Bacon writes:
> OK, I think we're talking about the same thing now...but could you give me
> an example of any object that would need to be traversable by Anonymous?
> index_html, for example, doesn't need to be traversable (I still prefer
> 'listable'). Viewable TTW, yes, but that's all
Oh dear, I fear that this is going round and round and round in circles a
bit, and that no-one else is following it, but here goes anyway :>
> The "traversable" permission would be an additional requirement
> to view any object. Its main purpose would be to distinguish
> between "use via Web" and
Seb Bacon writes:
>
> > Currently, Zope tries to have very few explicit, object specific
> > permissions. The ideal is that permissions are specified high above in
> > the hierarchy and acquired by lower objects.
> > This is quite possible with the current scheme.
> > Implementing an "U
oops,
I forgot to foward my last mail on this subject to the list. My response
here to Dieter's response captures contains the main points though...
> > > I think, the implementation would be easy.
> > > Management, however, would be more difficult, as there are no
> > > good defaults for th
Seb Bacon writes:
> For me, the 'visibility' problem is a real bugbear. Apart from the
> 'security' issue of anon. users being able to list objectIds, it means I am
> loathe to allow clients to manage their sites through the manage interface.
> This is because they'll see it littered with met
> > This is because the thing which makes
> > the problem hard is that something like standard_html_header
> wants to be
> > editable by Managers TTW, which means it also has to be visible TTW.
> > However, it's probably not something you want exposed to anonymous
> > users, especially a