preventing acquisition
I have found acquisition useful in several cases, but I would like to eliminate it for certain folders I have /-index_html | |--DOCS/ | |--IMAGES/ | |--RUBBISH/ it's useful in DOCS/mydoc_html to refer to IMAGES/myimage.gif, but I really don't want RUBBISH/index_html to be available as /DOCS/RUBBISH Do I have to go through a whole rigmarole of defining roles/users or is there some easy way to make RUBBISH non-acquirable? -- Robin Becker
On Sat, 31 Jul 1999, Robin Becker wrote:
it's useful in DOCS/mydoc_html to refer to IMAGES/myimage.gif, but I really don't want RUBBISH/index_html to be available as /DOCS/RUBBISH So what's that bad about DOCS/RUBBISH. As long as the user doesn't know about the URL, it isn't even visible. And the security applies to acquired documents the same.
If you really want to do this, you might check the URL requested in your document and raise errors if it is wrong. Beware, that this might become very quickly a maintenance nightmare. Andreas -- Andreas Kostyrka | andreas@mtg.co.at phone: +54/1/7070750 | phone: +43/676/4091256 MTG Handelsges.m.b.H. | fax: +43/1/7065299 Raiffeisenstr. 16/9 | 2320 Zwoelfaxing AUSTRIA
In article <Pine.LNX.4.10.9908010037350.26507-100000@gatekeeper.zwax.mtg .co.at>, Andreas Kostyrka <andreas@mtg.co.at> writes
On Sat, 31 Jul 1999, Robin Becker wrote:
it's useful in DOCS/mydoc_html to refer to IMAGES/myimage.gif, but I really don't want RUBBISH/index_html to be available as /DOCS/RUBBISH So what's that bad about DOCS/RUBBISH. As long as the user doesn't know about the URL, it isn't even visible. And the security applies to acquired documents the same.
exactly I want a simple way to make it invisible to normal users
If you really want to do this, you might check the URL requested in your document and raise errors if it is wrong. Beware, that this might become very quickly a maintenance nightmare.
Andreas -- Andreas Kostyrka | andreas@mtg.co.at phone: +54/1/7070750 | phone: +43/676/4091256 MTG Handelsges.m.b.H. | fax: +43/1/7065299 Raiffeisenstr. 16/9 | 2320 Zwoelfaxing AUSTRIA
-- Robin Becker
On Sun, 1 Aug 1999, Robin Becker wrote:
In article <Pine.LNX.4.10.9908010037350.26507-100000@gatekeeper.zwax.mtg .co.at>, Andreas Kostyrka <andreas@mtg.co.at> writes
On Sat, 31 Jul 1999, Robin Becker wrote:
it's useful in DOCS/mydoc_html to refer to IMAGES/myimage.gif, but I really don't want RUBBISH/index_html to be available as /DOCS/RUBBISH So what's that bad about DOCS/RUBBISH. As long as the user doesn't know about the URL, it isn't even visible. And the security applies to acquired documents the same.
exactly I want a simple way to make it invisible to normal users It is already invisible. URLs are invisible by default :)
Andreas -- Andreas Kostyrka | andreas@mtg.co.at phone: +54/1/7070750 | phone: +43/676/4091256 MTG Handelsges.m.b.H. | fax: +43/1/7065299 Raiffeisenstr. 16/9 | 2320 Zwoelfaxing AUSTRIA
Robin Becker wrote:
I have found acquisition useful in several cases, but I would like to eliminate it for certain folders
I have
/-index_html | |--DOCS/ | |--IMAGES/ | |--RUBBISH/
it's useful in DOCS/mydoc_html to refer to IMAGES/myimage.gif, but I really don't want RUBBISH/index_html to be available as /DOCS/RUBBISH
Do I have to go through a whole rigmarole of defining roles/users or is there some easy way to make RUBBISH non-acquirable? --
The index_html method in R could check the roles of the user, and raise NotFound if you weren't happy about user seeing RUBBISH/. Any combination of DTML check could be made before you did a <dtml-raise NotFound><dtml-zippy></dtml-raise>. The Zippy tag filling in for an inciteful error message in this case. For example (and I actualy checked this, usualy I just make it up): <dtml-var standard_html_header> <dtml-if "'Anonymous' in AUTHENTICATED_USER.getRoles()"> <dtml-raise NotFound> <h2>Your not supposed to be looking at <dtml-var "absolute_url()"> </h2> </dtml-raise> </dtml-if> <h2><!--#var title_or_id--></h2> <p> This is the <!--#var id--> Document. </p> <dtml-var standard_html_footer> -Michel
Robin Becker
_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://www.zope.org/mailman/listinfo/zope-dev
(To receive general Zope announcements, see: http://www.zope.org/mailman/listinfo/zope-announce
For non-developer, user-level issues, zope@zope.org, http://www.zope.org/mailman/listinfo/zope )
In article <37A412DF.19C384F7@digicool.com>, Michel Pelletier <michel@digicool.com> writes
Robin Becker wrote:
I have found acquisition useful in several cases, but I would like to eliminate it for certain folders
I have
/-index_html | |--DOCS/ | |--IMAGES/ | |--RUBBISH/
it's useful in DOCS/mydoc_html to refer to IMAGES/myimage.gif, but I really don't want RUBBISH/index_html to be available as /DOCS/RUBBISH
Do I have to go through a whole rigmarole of defining roles/users or is there some easy way to make RUBBISH non-acquirable? --
The index_html method in R could check the roles of the user, and raise NotFound if you weren't happy about user seeing RUBBISH/. Any combination of DTML check could be made before you did a <dtml-raise NotFound><dtml-zippy></dtml-raise>. The Zippy tag filling in for an inciteful error message in this case.
this is nice, but it doesn't really answer the question. If I said that I want /Status/index_html to be valid, but not /DOCS/Status/index_html this isn't a function of the user at all, but of the absolute URL so I guess I want to ensure that the document id corresponds to the absolute URL. But even though I can check and act on this it isn't the same as making the /Status folder to be non acquirable.
For example (and I actualy checked this, usualy I just make it up):
<dtml-var standard_html_header> <dtml-if "'Anonymous' in AUTHENTICATED_USER.getRoles()"> <dtml-raise NotFound> <h2>Your not supposed to be looking at <dtml-var "absolute_url()"> </h2> </dtml-raise> </dtml-if>
<h2><!--#var title_or_id--></h2> <p> This is the <!--#var id--> Document. </p> <dtml-var standard_html_footer>
-Michel
Robin Becker
_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://www.zope.org/mailman/listinfo/zope-dev
(To receive general Zope announcements, see: http://www.zope.org/mailman/listinfo/zope-announce
For non-developer, user-level issues, zope@zope.org, http://www.zope.org/mailman/listinfo/zope )
-- Robin Becker
In article <BWrBiGA+QCp3EwMI@jessikat.demon.co.uk>, Robin Becker <robin@jessikat.demon.co.uk> writes
In article <37A412DF.19C384F7@digicool.com>, Michel Pelletier <michel@digicool.com> writes
Robin Becker wrote:
I have found acquisition useful in several cases, but I would like to eliminate it for certain folders
I have
/-index_html | |--DOCS/ | |--IMAGES/ | |--RUBBISH/
it's useful in DOCS/mydoc_html to refer to IMAGES/myimage.gif, but I really don't want RUBBISH/index_html to be available as /DOCS/RUBBISH
Do I have to go through a whole rigmarole of defining roles/users or is there some easy way to make RUBBISH non-acquirable? --
The index_html method in R could check the roles of the user, and raise NotFound if you weren't happy about user seeing RUBBISH/. Any combination of DTML check could be made before you did a <dtml-raise NotFound><dtml-zippy></dtml-raise>. The Zippy tag filling in for an inciteful error message in this case.
this is nice, but it doesn't really answer the question. If I said that I want /Status/index_html to be valid, but not /DOCS/Status/index_html this isn't a function of the user at all, but of the absolute URL so I guess I want to ensure that the document id corresponds to the absolute URL.
But even though I can check and act on this it isn't the same as making the /Status folder to be non acquirable. ... my version of michels code looks like <dtml-var standard_html_header> <dtml-if "PARENTS[0].id not in PARENTS[1].objectIds()"> <dtml-raise NotFound> <h2>You're not supposed to be looking at <dtml-var "absolute_url()"> </h2> </dtml-raise> </dtml-if> <h1>Status</h1> <dtml-var get_status> <dtml-var standard_html_footer>
now assuming /Status/index_html is the database path host/Status works, but host/DOCS/Status fails -- Robin Becker
participants (3)
-
Andreas Kostyrka -
Michel Pelletier -
Robin Becker