Yeah, using dtml-sqlvar fixed it. I'm having a different problem now... I need to get a list of users in ACL_USERS to create a form where people can assign stuff to different users. Here's the code for the display... <SELECT NAME="AssignedTo"> <dtml-in "acl_users.getUserNames()"> <OPTION LABEL="<dtml-var sequence-item>" VALUE="<dtml-var sequence-item>"><dtml-var sequence-item></OPTION> </dtml-in> </SELECT> But when I try it using a regular (non-manager/owner) it says: Error Type: Unauthorized Error Value: You are not allowed to access getUserNames in this context What could be wrong? Thanks, Derek Wilson -----Original Message----- From: Erik Myllymaki [mailto:erik.myllymaki@aviawest.com] Sent: Thursday, October 09, 2003 4:34 PM To: Derek S. Wilson; zope@dylanreinhardt.com; Eric Merritt Cc: Zope Users Subject: Re: [Zope] RDBMS Applications and direct calling of script(python)andsql methods I use this ZSQL method to return the ID number of my users: ------------------------------------------------------------------------ ---- ------------- select employee_id from staff where login = <dtml-sqlvar "REQUEST.get('AUTHENTICATED_USER')" type=string> ------------------------------------------------------------------------ ---- -------------
Says keyerror AUTHENTICATED_USER when I try it.
Thanks, Derek Wilson
-----Original Message----- From: Erik Myllymaki [mailto:erik.myllymaki@aviawest.com] Sent: Thursday, October 09, 2003 3:54 PM To: zope@dylanreinhardt.com; Eric Merritt Cc: Zope Users Subject: Re: [Zope] RDBMS Applications and direct calling of script(python)andsql methods
On Thu, 2003-10-09 at 13:36, Eric Merritt wrote:
Lets take simple example, assume that each user has an id that is keyed to his 'stuff'. The zsql method must be passed this id to access his stuff. This is all fine and good, A script(python) method could provide this to the zsql method behind the scenes without any great issue. The problem comes in when the user attempts to access this zsql method from via its url. Going this route he could pretty easily supply and arbitrary id and get access to information that he shouldn't have.
Yes, that would be a problem... so don't do it that way. :-)
Instead, have Zope provide you the name of the user from its authentication machinery. That's *much* harder to spoof.
To get this, cook up a Python script called get_user and use this for the code:
---- from AccessControl import getSecurityManager return getSecurityManager().getUser().getUserName() ----
Now include a call to get_user() when you need to pass in the username
as a parameter to your query.
Any reason why you shouldn't just use <dtml-var AUTHENTICATED_USER> as a parameter to your SQL query?
just curious...
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )