Just to add to these comments: bruno modulix wrote:
Thomas Rampelberg wrote:
Is there a way to keep users from being able to see any of the management pages?
In the security tab, there's a 'View management screens'
For example, return a 404 error if someone tries to go to http://zopesite/manage or http://zopesite/object/manage.
If you run Zope behind Apache, you could take advantage of rewrite rules and access control to hide 'manage' urls from requests on port 80 while allowing'em on 8080 (or whatever port your Zope listen to).
You could do management through a secure shell: ssh www.yoursite.com -L8080:localhost:8080 then use apache to allow only localhost:8080/manage requests to get to real management urls.
In a similar vein, how would you go about keeping users from executing python scripts or external methods by just typing in the path to that object (http://zopesite/pythonscript) yet still let the pages that use those methods to access them?
It's in the fine manual, section "proxy roles".
Do you mean "Allow anonymous users to see a page that contains the output from a script, but deny the anonymous user the ability to call that script directly? In the FM it is not so obvious you do this: 1. Give the python script the View/Manager only permission, then 2. Call the script from a dtml document that has the Manager proxy role. That at least stops the script from being called from the browser url box. I am not sure this would do any good. If hackers want to get at your script with fake data they could try calling your dtml document with their own parameters. Cliff Sorry I seem to have stolen a thread - deleted original message.