On Thu, 4 Nov 2004 16:43:19 -0700, Thomas Rampelberg <pyronicide@gmail.com> wrote:
Is there a way to keep users from being able to see any of the management pages? For example, return a 404 error if someone tries to go to http://zopesite/manage or http://zopesite/object/manage.
This would also apply to yourself wanting to access the ZMI, are you sure you want to do this? Unless they can authenticate they will not see the ZMI ... they'd need to login as a user with the "Manager" role. (or be granted this access through a script using a manager proxy role executing arbitary code because it trusted a form field passed to it by a user *g*...) To hide the ZMI from users knowledgeable about Zope you could modify the source to use a different URI for the ZMI but I'd advise against this since you'd have to reiterate the procedure over each newly upgraded zope.
In a similar vein, how would you go about keeping users from executing python scripts or external methods by just typing in the path to that object (http://zopesite/pythonscript) yet still let the pages that use those methods to access them?
Protect them via the "Security" TAB (in ZMI) then only users with the required priviledges can render, inspect and/or modify the so restrained Z-Object. -- --- The Count