--On Freitag, 17. September 2004 11:26 Uhr -0600 Edward Pollard <pollej@uleth.ca> wrote:
Hello all,
Simple problem: a password change form.
The form is a page template. It submits to another page template. This page template calls a python script that changes your password in LDAP (via external methods). I'm leaving off quite a bit, here, of course.
How can I secure the python scripts so that clever users cannot arbitrarily execute them?
Write the script in a way that you determine the username based on the authentencation from Zope (getSecurityManager().getUser().getUserName()) and then change the password in LDAP using the passed password from the form. This should be safe enough since the script does not allow you to pass the username and it will only change the password for the logged in user. I don't see a way to fake authentication at this point. -aj