Inhibit URL-traversal
Greetings, for a product I am writing, i need to experiment with inhibiting URL-traversal to the methods and subobjects of it. I still wnat the methods and objects to be available via direct call, for instance: from a script or template: container.my_product_instance.some_method(...) but not http://some/url/my_product_instance/some_method?... In effect I am hiding that part of the zodb for external access- Also, can such a behaviour be imposed on templates (they being methods really) and Script(Python)s? Thanks, /dario -- -- ------------------------------------------------------------------- Dario Lopez-Kästen, IT Systems & Services Chalmers University of Tech. Lyrics applied to programming & application design: "emancipate yourself from mental slavery" - redemption song, b. marley
Dario Lopez-Kästen wrote at 2006-2-10 10:56 +0100:
... for a product I am writing, i need to experiment with inhibiting URL-traversal to the methods and subobjects of it. I still wnat the methods and objects to be available via direct call, for instance:
You can use a "SiteAccess" "AccessRule" for this. Be warned, however, that "AccessRules" can be disabled in the URL (by a few knowing people). If this concerns you, can can remove this feature from "AccessRule" (code modification).
... Also, can such a behaviour be imposed on templates (they being methods really) and Script(Python)s?
It can -- with some difficulties: Templates and scripts are called because they define "index_html" as "None". If you give a template or script a non-None "index_html", then this object will be called instead of the template/script. -- Dieter
Dieter Maurer said the following on 2006-02-10 19:48:
Dario Lopez-Kästen wrote at 2006-2-10 10:56 +0100:
... for a product I am writing, i need to experiment with inhibiting URL-traversal to the methods and subobjects of it. I still wnat the methods and objects to be available via direct call, for instance:
You can use a "SiteAccess" "AccessRule" for this.
Be warned, however, that "AccessRules" can be disabled in the URL (by a few knowing people). If this concerns you, can can remove this feature from "AccessRule" (code modification).
Using an AccessRule is not precisely what I had in mind - I want my product to behave in such a way by itself - but looking at how AccessRules work will surely give me some insight. Thanks for the pointer.
... Also, can such a behaviour be imposed on templates (they being methods really) and Script(Python)s?
It can -- with some difficulties:
Templates and scripts are called because they define "index_html" as "None".
If you give a template or script a non-None "index_html", then this object will be called instead of the template/script.
I see. Is this possible to do on FS-based scripts/templates? I believe zodb-based files may be manipulated at install-time by my product, by I am not sure how to do this for FS-based stuff. Anyway, thanks Dieter for the pointers. This will get me started :-) /dario -- -- ------------------------------------------------------------------- Dario Lopez-Kästen, IT Systems & Services Chalmers University of Tech. Lyrics applied to programming & application design: "emancipate yourself from mental slavery" - redemption song, b. marley
Dario Lopez-Kästen wrote at 2006-2-13 08:06 +0100:
...
It can -- with some difficulties:
Templates and scripts are called because they define "index_html" as "None".
If you give a template or script a non-None "index_html", then this object will be called instead of the template/script.
I see. Is this possible to do on FS-based scripts/templates?
It is, but you have to work a bit: You derive your own classes from the original ones and provide an appropriate "index_html" definition. You register your classes to handle the appropriate extensions. Note, that the last registration wins over previous ones. You might need to force an import of the module/s performing the other registration/s in your module to ensure that your registration is indeed the last one. -- Dieter
Dario Lopez-Kästen wrote:
from a script or template: container.my_product_instance.some_method(...)
but not
You could try looking at some kind of __bobo_traverse__ function or maybe __before_publisher_traverse__. I've probably mispelled the latter, but it might be what you're after, since it affects the publisher but not method access... cheers, Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
Thanks Chris and Florenat, I'll look into your suggestions too. /dario -- -- ------------------------------------------------------------------- Dario Lopez-Kästen, IT Systems & Services Chalmers University of Tech. Lyrics applied to programming & application design: "emancipate yourself from mental slavery" - redemption song, b. marley
Dario Lopez-Kästen wrote:
Greetings,
for a product I am writing, i need to experiment with inhibiting URL-traversal to the methods and subobjects of it. I still wnat the methods and objects to be available via direct call, for instance:
from a script or template: container.my_product_instance.some_method(...)
but not
http://some/url/my_product_instance/some_method?...
In effect I am hiding that part of the zodb for external access-
Also, can such a behaviour be imposed on templates (they being methods really) and Script(Python)s?
Have your methods accept a REQUEST=None optional argument, and if it's not None then you were called through an URL. In that case you can redirect or raise a Unauthorized or NotFound or whatever. Florent -- Florent Guillaume, Nuxeo (Paris, France) Director of R&D +33 1 40 33 71 59 http://nuxeo.com fg@nuxeo.com
participants (4)
-
Chris Withers -
Dario Lopez-Kästen -
Dieter Maurer -
Florent Guillaume