In my opinion Tres's way is the correct one for this case Why? Because the original must be is to run the script only for internal processes The main diference between an internal call and a user one is the REQUEST parameter and then the Tres's solution seems the more convenient way It's only my opinion 2009/4/28 Jaroslav Lukesh <lukesh@seznam.cz>
Why? It is more transparent and better way - use security tab.
----- Original Message ----- From: "Tres Seaver" <tseaver@palladion.com>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Pedro LaWrench wrote:
I need to do something on the filesystem, which requires unrestricted python, so I created an external method. The problem is that anyone can call that directly via URL, so I added a permission check. Even then, users with the sufficient permissions can call this via URL, which I don't want them to do. I only want them to have access indirectly from other pages (such as a page template that will pass sane parameters). Is there anyway to do this?
Add a REQUEST argument to your function, defaulting to None. The publisher will always pass the request in for that argument, while the other templates / scripts should not. E.g.:
def doSomething(self, REQUEST=None): """ Don't call me directly via a URL!!! """ if REQUEST is not None: raise ValueError('Wicked, evil, naughty Zoot!')
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
-- Mis Cosas http://blogs.sistes.net/Garito Zope Smart Manager http://blogs.sistes.net/Garito/670