17 Sep
2004
17 Sep
'04
7:36 p.m.
Hi Edward,
Simple problem: a password change form.
The form is a page template. It submits to another page template. This page template calls a python script that changes your password in LDAP (via external methods). I'm leaving off quite a bit, here, of course.
How can I secure the python scripts so that clever users cannot arbitrarily execute them? First you have to protect the templates and scripts assigning no-view permissions for Anonymous. Then you could get the authenticated user from the external method and see if he's changing its own password; otherwise, you could raise an Unauthorized exception.
Regards, Josef