Paul Winkler wrote:
On Sun, Jan 29, 2006 at 12:19:24PM +0100, Balazs Ree wrote:
So this is where I see the importance of this: allow access to a
method/template via RPC only, and disallow the method to be called
directly from the browser.
I'm curious.
How do you distinguish between a jsonrpc request and a direct
browser request?
There are a few attributes that distinguish a jsonrpc request in Zope3
from a direct browser request.
First, the request must be a POST with a content-type of
"application/json-rpc". That is the listening handshake registered by
jsonserver so that the request is handled as a JSONRPCRequest.
The URL for object traversal is the URL of the context object. The
method to be performed is identified in the body of the request, and has
a specific syntax for method and parameters. The methods on the server
side are provided in a view class for the context object, and are
protected by permissions registered in zcml. When jsonserver gets the
request, the appropriate method of the view class is invoked in the
context of the context object, and the results are returned in jsonrpc
format.
The methods of the view class are not very different from methods of any
other browser view class. In a page template, they would likely be
accessible as "view/method_name". But they are also not accessible by
direct URL traversal, unless you do extra work to allow that.
In Zope2, with ttw object methods, the distinction between a jsonrpc
request and a direct browser request can be a bit blurred. Such a
method would have a URL and would be ordinarily traversable in a direct
browser request.
-Jim Washington
_______________________________________________
Zope3-dev mailing list
Zope3-dev@zope.org
Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com
