On 25 Oct 1999 20:50:01 -0500, Evan Gibson wrote:
On Mon, Oct 25, 1999 at 06:12:12PM -0700, Jonothan Farr wrote:
Issues to address: security (not as much of a problem as with my read/write product) The only security issue I've addressed is that '..' is not allowed as a directory name, it will throw a ValueError. Also, of course the Zope server has to have permissions to access any files that it tries to read through LocalFS. If anyone can think of any others please let me know.
I was planning on writing a product like this myself (but of course didn't quite get past just thinking about it in my head! I have so many projects like that!) What I was planning on doing for security was having an "access" file in the products directory that contained a list of directories and a list of the files (allowing wildcards) that you were allowed to access in _that_ directory. It was going to default to only letting you read txt and log files in the product directory itself (defined by .). You could also add roles to this file.
My 'file access' product creates Zope folders which correspond to directories and other interesting objects. These Zope folders can use the std zope acl_users (or whatever) and can also contain methods and products in the Zope database specific to that directory or file tree. This allows you to create different meta-data for the same directories, depending on how they are accessed from Zope (different subdir folders pointing at the same filesys path).